From 46faaf9667cff75008e91a5e379e7409c9b365c4 Mon Sep 17 00:00:00 2001 From: Brad King Date: Fri, 29 Mar 2024 11:50:07 -0400 Subject: file(DOWNLOAD|UPLOAD): Add CMAKE_TLS_VERIFY environment variable Issue: #23608 --- Help/envvar/CMAKE_TLS_VERIFY.rst | 11 +++++++++++ Help/manual/cmake-env-variables.7.rst | 1 + Help/release/dev/curl-tls-version.rst | 4 ++++ Help/variable/CMAKE_TLS_VERIFY.rst | 4 +++- Source/cmFileCommand.cxx | 12 ++++++++++++ Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad-stdout.txt | 2 ++ Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad.cmake | 15 +++++++++++++-- 7 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 Help/envvar/CMAKE_TLS_VERIFY.rst diff --git a/Help/envvar/CMAKE_TLS_VERIFY.rst b/Help/envvar/CMAKE_TLS_VERIFY.rst new file mode 100644 index 0000000..a0ed323 --- /dev/null +++ b/Help/envvar/CMAKE_TLS_VERIFY.rst @@ -0,0 +1,11 @@ +CMAKE_TLS_VERIFY +---------------- + +.. versionadded:: 3.30 + +.. include:: ENV_VAR.txt + +Specify the default value for the :command:`file(DOWNLOAD)` and +:command:`file(UPLOAD)` commands' ``TLS_VERIFY`` option. +This environment variable is used if the option is not given +and the :variable:`CMAKE_TLS_VERIFY` cmake variable is not set. diff --git a/Help/manual/cmake-env-variables.7.rst b/Help/manual/cmake-env-variables.7.rst index 5273194..e693e4c 100644 --- a/Help/manual/cmake-env-variables.7.rst +++ b/Help/manual/cmake-env-variables.7.rst @@ -27,6 +27,7 @@ Environment Variables that Change Behavior /envvar/CMAKE_MAXIMUM_RECURSION_DEPTH /envvar/CMAKE_PREFIX_PATH /envvar/CMAKE_PROGRAM_PATH + /envvar/CMAKE_TLS_VERIFY /envvar/CMAKE_TLS_VERSION /envvar/SSL_CERT_DIR /envvar/SSL_CERT_FILE diff --git a/Help/release/dev/curl-tls-version.rst b/Help/release/dev/curl-tls-version.rst index 636fa3c..26d03ad 100644 --- a/Help/release/dev/curl-tls-version.rst +++ b/Help/release/dev/curl-tls-version.rst @@ -10,6 +10,10 @@ curl-tls-version for connections to ``https://`` URLs by the :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands. +* The :envvar:`CMAKE_TLS_VERIFY` environment variable was added as a fallback + to the existing :variable:`CMAKE_TLS_VERIFY` variable. It specifies + whether to verify the server certificate for ``https://`` URLs by default. + * The :module:`ExternalProject` module's :command:`ExternalProject_Add` command gained a ``TLS_VERSION `` option, and support for the :variable:`CMAKE_TLS_VERSION` variable and :envvar:`CMAKE_TLS_VERSION` diff --git a/Help/variable/CMAKE_TLS_VERIFY.rst b/Help/variable/CMAKE_TLS_VERIFY.rst index b22f1ce..5871ac7 100644 --- a/Help/variable/CMAKE_TLS_VERIFY.rst +++ b/Help/variable/CMAKE_TLS_VERIFY.rst @@ -3,7 +3,9 @@ CMAKE_TLS_VERIFY Specify the default value for the :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands' ``TLS_VERIFY`` options. -If not set, the default is *off*. +If this variable is not set, the commands check the +:envvar:`CMAKE_TLS_VERIFY` environment variable. +If neither is set, the default is *off*. This variable is also used by the :module:`ExternalProject` and :module:`FetchContent` modules for internal calls to :command:`file(DOWNLOAD)`. diff --git a/Source/cmFileCommand.cxx b/Source/cmFileCommand.cxx index ac1d22b..0369051 100644 --- a/Source/cmFileCommand.cxx +++ b/Source/cmFileCommand.cxx @@ -2036,6 +2036,12 @@ bool HandleDownloadCommand(std::vector const& args, tls_verify = v.IsOn(); } } + if (!tls_verify) { + if (cm::optional v = + cmSystemTools::GetEnvVar("CMAKE_TLS_VERIFY")) { + tls_verify = cmIsOn(*v); + } + } if (!tls_version) { if (cmValue v = status.GetMakefile().GetDefinition("CMAKE_TLS_VERSION")) { @@ -2439,6 +2445,12 @@ bool HandleUploadCommand(std::vector const& args, tls_verify = v.IsOn(); } } + if (!tls_verify) { + if (cm::optional v = + cmSystemTools::GetEnvVar("CMAKE_TLS_VERIFY")) { + tls_verify = cmIsOn(*v); + } + } if (!tls_version) { if (cmValue v = status.GetMakefile().GetDefinition("CMAKE_TLS_VERSION")) { diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad-stdout.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad-stdout.txt index 72ab8f4..fbff3b9 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad-stdout.txt +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad-stdout.txt @@ -1,4 +1,6 @@ -- def-0: 0;"No error" +-- env-0: 0;"No error" +-- env-1: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- var-0: 0;"No error" -- var-1: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error") -- opt-0: 0;"No error" diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad.cmake b/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad.cmake index ed19bd6..a90c2f4 100644 --- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad.cmake +++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad.cmake @@ -7,17 +7,28 @@ function(download case) endfunction() # The default is OFF. +unset(ENV{CMAKE_TLS_VERIFY}) unset(CMAKE_TLS_VERIFY) download(def-0) -# The cmake variable overrides the default. +# The environment variable overrides the default. +set(ENV{CMAKE_TLS_VERIFY} 0) +download(env-0) +set(ENV{CMAKE_TLS_VERIFY} 1) +download(env-1) + +# The cmake variable overrides the environment variable. +set(ENV{CMAKE_TLS_VERIFY} 1) set(CMAKE_TLS_VERIFY 0) download(var-0) +set(ENV{CMAKE_TLS_VERIFY} 0) set(CMAKE_TLS_VERIFY 1) download(var-1) -# The explicit argument overrides the cmake variable. +# The explicit argument overrides the cmake variable and the environment variable. +set(ENV{CMAKE_TLS_VERIFY} 1) set(CMAKE_TLS_VERIFY 1) download(opt-0 TLS_VERIFY 0) +set(ENV{CMAKE_TLS_VERIFY} 0) set(CMAKE_TLS_VERIFY 0) download(opt-1 TLS_VERIFY 1) -- cgit v0.12