ctest: Add explicit options for TLS server verification

Add a dedicated `TLSVerify` ctest option and a `CTEST_TLS_VERIFY` variable to control it. Deprecate `CurlOptions` because it exposes internal implementation details.
author: Brad King <brad.king@kitware.com> 2024-03-01 15:56:03 (GMT)
committer: Brad King <brad.king@kitware.com> 2024-03-12 14:46:11 (GMT)
commit: 0aba13a2f3169687943d4b7d0f05ed65e46ca137 (patch)
tree: 7fad7fde1b18a8f3fc554615c22aec090ce2e490 /Source
parent: 51728a6dd3955eadb596b8eb7b74681f529d39cb (diff)
download: CMake-0aba13a2f3169687943d4b7d0f05ed65e46ca137.zip
CMake-0aba13a2f3169687943d4b7d0f05ed65e46ca137.tar.gz
CMake-0aba13a2f3169687943d4b7d0f05ed65e46ca137.tar.bz2
4 files changed, 28 insertions, 13 deletions
diff --git a/Source/CTest/cmCTestCurl.cxx b/Source/CTest/cmCTestCurl.cxx
index d3a0a13..e5963c6 100644
--- a/Source/CTest/cmCTestCurl.cxx
+++ b/Source/CTest/cmCTestCurl.cxx
@@ -12,6 +12,7 @@
 #include "cmList.h"
 #include "cmStringAlgorithms.h"
 #include "cmSystemTools.h"
+#include "cmValue.h"
 
 cmCTestCurl::cmCTestCurl(cmCTest* ctest)
   : CTest(ctest)
@@ -57,13 +58,18 @@ size_t curlDebugCallback(CURL* /*unused*/, curl_infotype /*unused*/,
 
 cmCTestCurlOpts::cmCTestCurlOpts(cmCTest* ctest)
 {
-  cmList args{ ctest->GetCTestConfiguration("CurlOptions") };
-  for (std::string const& arg : args) {
-    if (arg == "CURLOPT_SSL_VERIFYPEER_OFF") {
-      this->VerifyPeerOff = true;
-    }
-    if (arg == "CURLOPT_SSL_VERIFYHOST_OFF") {
-      this->VerifyHostOff = true;
+  std::string tlsVerify = ctest->GetCTestConfiguration("TLSVerify");
+  if (!tlsVerify.empty()) {
+    this->TLSVerifyOpt = cmIsOn(tlsVerify);
+  } else {
+    cmList args{ ctest->GetCTestConfiguration("CurlOptions") };
+    for (std::string const& arg : args) {
+      if (arg == "CURLOPT_SSL_VERIFYPEER_OFF") {
+        this->TLSVerifyOpt = false;
+      }
+      if (arg == "CURLOPT_SSL_VERIFYHOST_OFF") {
+        this->VerifyHostOff = true;
+      }
     }
   }
 }
@@ -74,8 +80,9 @@ bool cmCTestCurl::InitCurl()
     return false;
   }
   cmCurlSetCAInfo(this->Curl);
-  if (this->CurlOpts.VerifyPeerOff) {
-    curl_easy_setopt(this->Curl, CURLOPT_SSL_VERIFYPEER, 0);
+  if (this->CurlOpts.TLSVerifyOpt) {
+    curl_easy_setopt(this->Curl, CURLOPT_SSL_VERIFYPEER,
+                     *this->CurlOpts.TLSVerifyOpt ? 1 : 0);
   }
   if (this->CurlOpts.VerifyHostOff) {
     curl_easy_setopt(this->Curl, CURLOPT_SSL_VERIFYHOST, 0);
diff --git a/Source/CTest/cmCTestCurl.h b/Source/CTest/cmCTestCurl.h
index ea60f19..b027e43 100644
--- a/Source/CTest/cmCTestCurl.h
+++ b/Source/CTest/cmCTestCurl.h
@@ -7,6 +7,8 @@
 #include <string>
 #include <vector>
 
+#include <cm/optional>
+
 #include <cm3p/curl/curl.h>
 
 class cmCTest;
@@ -14,7 +16,7 @@ class cmCTest;
 struct cmCTestCurlOpts
 {
   cmCTestCurlOpts(cmCTest* ctest);
-  bool VerifyPeerOff = false;
+  cm::optional<bool> TLSVerifyOpt;
   bool VerifyHostOff = false;
 };
 
diff --git a/Source/CTest/cmCTestSubmitCommand.cxx b/Source/CTest/cmCTestSubmitCommand.cxx
index a92f9f2..90542e9 100644
--- a/Source/CTest/cmCTestSubmitCommand.cxx
+++ b/Source/CTest/cmCTestSubmitCommand.cxx
@@ -56,6 +56,8 @@ cmCTestGenericHandler* cmCTestSubmitCommand::InitializeHandler()
   }
 
   this->CTest->SetCTestConfigurationFromCMakeVariable(
+    this->Makefile, "TLSVerify", "CTEST_TLS_VERIFY", this->Quiet);
+  this->CTest->SetCTestConfigurationFromCMakeVariable(
     this->Makefile, "CurlOptions", "CTEST_CURL_OPTIONS", this->Quiet);
   this->CTest->SetCTestConfigurationFromCMakeVariable(
     this->Makefile, "SubmitInactivityTimeout",
diff --git a/Source/CTest/cmCTestSubmitHandler.cxx b/Source/CTest/cmCTestSubmitHandler.cxx
index 654fbfa..431f108 100644
--- a/Source/CTest/cmCTestSubmitHandler.cxx
+++ b/Source/CTest/cmCTestSubmitHandler.cxx
@@ -8,6 +8,7 @@
 #include <sstream>
 
 #include <cm/iomanip>
+#include <cm/optional>
 #include <cmext/algorithm>
 
 #include <cm3p/curl/curl.h>
@@ -177,11 +178,14 @@ bool cmCTestSubmitHandler::SubmitUsingHTTP(
     curl = curl_easy_init();
     if (curl) {
       cmCurlSetCAInfo(curl);
-      if (curlOpts.VerifyPeerOff) {
+      if (curlOpts.TLSVerifyOpt) {
         cmCTestOptionalLog(this->CTest, HANDLER_VERBOSE_OUTPUT,
-                           "  Set CURLOPT_SSL_VERIFYPEER to off\n",
+                           "  Set CURLOPT_SSL_VERIFYPEER to "
+                             << (*curlOpts.TLSVerifyOpt ? "on" : "off")
+                             << "\n",
                            this->Quiet);
-        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER,
+                         *curlOpts.TLSVerifyOpt ? 1 : 0);
       }
       if (curlOpts.VerifyHostOff) {
         cmCTestOptionalLog(this->CTest, HANDLER_VERBOSE_OUTPUT,
author	Brad King <brad.king@kitware.com>	2024-03-01 15:56:03 (GMT)
committer	Brad King <brad.king@kitware.com>	2024-03-12 14:46:11 (GMT)
commit	0aba13a2f3169687943d4b7d0f05ed65e46ca137 (patch)
tree	7fad7fde1b18a8f3fc554615c22aec090ce2e490 /Source
parent	51728a6dd3955eadb596b8eb7b74681f529d39cb (diff)
download	CMake-0aba13a2f3169687943d4b7d0f05ed65e46ca137.zip CMake-0aba13a2f3169687943d4b7d0f05ed65e46ca137.tar.gz CMake-0aba13a2f3169687943d4b7d0f05ed65e46ca137.tar.bz2