From fe5e6c27bd1d9bbacd3baebdde878f989c82b79d Mon Sep 17 00:00:00 2001 From: Brad King Date: Mon, 26 Feb 2024 11:38:12 -0500 Subject: ExternalProject: Prepare for multiple git submodule config options --- Modules/ExternalProject.cmake | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index 8b10135..b7290db 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -1379,8 +1379,6 @@ function(_ep_write_gitclone_script message(FATAL_ERROR "Tag for git checkout should not be empty.") endif() - set(git_submodules_config_options "") - if(GIT_VERSION_STRING VERSION_LESS 2.20 OR 2.21 VERSION_LESS_EQUAL GIT_VERSION_STRING) set(git_clone_options "--no-checkout") @@ -1403,21 +1401,23 @@ function(_ep_write_gitclone_script if(NOT ${git_remote_name} STREQUAL "origin") list(APPEND git_clone_options --origin \"${git_remote_name}\") endif() + + # The clone config option is sticky, it will apply to all subsequent git + # update operations. The submodules config option is not sticky, because + # git doesn't provide any way to do that. Thus, we will have to pass the + # same config option in the update step too for submodules, but not for + # the main git repo. + set(git_submodules_config_options "") if(NOT "x${tls_verify}" STREQUAL "x") - # The clone config option is sticky, it will apply to all subsequent git - # update operations. The submodules config option is not sticky, because - # git doesn't provide any way to do that. Thus, we will have to pass the - # same config option in the update step too for submodules, but not for - # the main git repo. if(tls_verify) # Default git behavior is "true", but the user might have changed the # global default to "false". Since TLS_VERIFY was given, ensure we honor # the specified setting regardless of what the global default might be. list(APPEND git_clone_options -c http.sslVerify=true) - set(git_submodules_config_options -c http.sslVerify=true) + list(APPEND git_submodules_config_options -c http.sslVerify=true) else() list(APPEND git_clone_options -c http.sslVerify=false) - set(git_submodules_config_options -c http.sslVerify=false) + list(APPEND git_submodules_config_options -c http.sslVerify=false) endif() endif() @@ -1480,19 +1480,19 @@ function(_ep_write_gitupdate_script list(APPEND git_stash_save_options --all) endif() + # The submodules config option is not sticky, git doesn't provide any way + # to do that. We have to pass this config option for the update step too. + # We don't need to set it for the non-submodule update because it gets + # recorded as part of the clone operation in a sticky manner. set(git_submodules_config_options "") if(NOT "x${tls_verify}" STREQUAL "x") - # The submodules config option is not sticky, git doesn't provide any way - # to do that. We have to pass this config option for the update step too. - # We don't need to set it for the non-submodule update because it gets - # recorded as part of the clone operation in a sticky manner. if(tls_verify) # Default git behavior is "true", but the user might have changed the # global default to "false". Since TLS_VERIFY was given, ensure we honor # the specified setting regardless of what the global default might be. - set(git_submodules_config_options -c http.sslVerify=true) + list(APPEND git_submodules_config_options -c http.sslVerify=true) else() - set(git_submodules_config_options -c http.sslVerify=false) + list(APPEND git_submodules_config_options -c http.sslVerify=false) endif() endif() -- cgit v0.12 From e39c37ab29a2c3955207cfea693e431ef5bec336 Mon Sep 17 00:00:00 2001 From: Brad King Date: Wed, 28 Feb 2024 09:36:22 -0500 Subject: ExternalProject: Revise wording of TLS_VERIFY documentation --- Modules/ExternalProject.cmake | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index b7290db..c5e36ab 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -227,8 +227,8 @@ URL ``TLS_VERIFY `` Specifies whether certificate verification should be performed for - https URLs. If this option is not provided, the default behavior is - determined by the :variable:`CMAKE_TLS_VERIFY` variable (see + ``https://`` URLs. If this option is not provided, the default behavior + is determined by the :variable:`CMAKE_TLS_VERIFY` variable (see :command:`file(DOWNLOAD)`). If that is also not set, certificate verification will not be performed. In situations where ``URL_HASH`` cannot be provided, this option can be an alternative verification @@ -236,11 +236,10 @@ URL .. versionchanged:: 3.6 This option also applies to ``git clone`` invocations, although the - default behavior is different. If ``TLS_VERIFY`` is not given and - :variable:`CMAKE_TLS_VERIFY` is not set, the behavior will be - determined by git's defaults. Normally, the ``sslVerify`` git - config setting defaults to true, but the user may have overridden - this at a global level. + default behavior is different. If neither the ``TLS_VERIFY`` option + or :variable:`CMAKE_TLS_VERIFY` variable is specified, the behavior + will be determined by git's default (true) or a ``http.sslVerify`` + git config option the user may have set at a global level. ``TLS_CAINFO `` Specify a custom certificate authority file to use if ``TLS_VERIFY`` -- cgit v0.12 From 1afa6f359ecd5fc5dbf28f3a86441d6ba2a143a2 Mon Sep 17 00:00:00 2001 From: Brad King Date: Wed, 28 Feb 2024 18:48:53 -0500 Subject: ExternalProject: Factor out helper to get TLS_VERIFY option --- Modules/ExternalProject.cmake | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index c5e36ab..54ce830 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -1345,6 +1345,14 @@ define_property(DIRECTORY PROPERTY "EP_STEP_TARGETS" INHERITED) define_property(DIRECTORY PROPERTY "EP_INDEPENDENT_STEP_TARGETS" INHERITED) define_property(DIRECTORY PROPERTY "EP_UPDATE_DISCONNECTED" INHERITED) +function(_ep_get_tls_verify name tls_verify_var) + get_property(tls_verify TARGET ${name} PROPERTY _EP_TLS_VERIFY) + if("x${tls_verify}" STREQUAL "x" AND DEFINED CMAKE_TLS_VERIFY) + set(tls_verify "${CMAKE_TLS_VERIFY}") + endif() + set("${tls_verify_var}" "${tls_verify}" PARENT_SCOPE) +endfunction() + function(_ep_write_gitclone_script script_filename source_dir @@ -1563,14 +1571,15 @@ function(_ep_write_downloadfile_script endif() set(TLS_VERIFY_CODE "") + if(NOT "x${tls_verify}" STREQUAL "x") + set(TLS_VERIFY_CODE "set(CMAKE_TLS_VERIFY \"${tls_verify}\")") + endif() + set(TLS_CAINFO_CODE "") set(NETRC_CODE "") set(NETRC_FILE_CODE "") # check for curl globals in the project - if(DEFINED CMAKE_TLS_VERIFY) - set(TLS_VERIFY_CODE "set(CMAKE_TLS_VERIFY ${CMAKE_TLS_VERIFY})") - endif() if(DEFINED CMAKE_TLS_CAINFO) set(TLS_CAINFO_CODE "set(CMAKE_TLS_CAINFO \"${CMAKE_TLS_CAINFO}\")") endif() @@ -1584,11 +1593,6 @@ function(_ep_write_downloadfile_script # now check for curl locals so that the local values # will override the globals - # check for tls_verify argument - string(LENGTH "${tls_verify}" tls_verify_len) - if(tls_verify_len GREATER 0) - set(TLS_VERIFY_CODE "set(CMAKE_TLS_VERIFY ${tls_verify})") - endif() # check for tls_cainfo argument string(LENGTH "${tls_cainfo}" tls_cainfo_len) if(tls_cainfo_len GREATER 0) @@ -2958,10 +2962,7 @@ function(_ep_add_download_command name) set(git_remote_name "origin") endif() - get_property(tls_verify TARGET ${name} PROPERTY _EP_TLS_VERIFY) - if("x${tls_verify}" STREQUAL "x" AND DEFINED CMAKE_TLS_VERIFY) - set(tls_verify "${CMAKE_TLS_VERIFY}") - endif() + _ep_get_tls_verify(${name} tls_verify) get_property(git_shallow TARGET ${name} PROPERTY _EP_GIT_SHALLOW) get_property(git_progress TARGET ${name} PROPERTY _EP_GIT_PROGRESS) get_property(git_config TARGET ${name} PROPERTY _EP_GIT_CONFIG) @@ -3145,7 +3146,7 @@ hash=${hash} TARGET ${name} PROPERTY _EP_DOWNLOAD_NO_PROGRESS ) - get_property(tls_verify TARGET ${name} PROPERTY _EP_TLS_VERIFY) + _ep_get_tls_verify(${name} tls_verify) get_property(tls_cainfo TARGET ${name} PROPERTY _EP_TLS_CAINFO) get_property(netrc TARGET ${name} PROPERTY _EP_NETRC) get_property(netrc_file TARGET ${name} PROPERTY _EP_NETRC_FILE) @@ -3471,10 +3472,7 @@ function(_ep_add_update_command name) _ep_get_git_submodules_recurse(git_submodules_recurse) - get_property(tls_verify TARGET ${name} PROPERTY _EP_TLS_VERIFY) - if("x${tls_verify}" STREQUAL "x" AND DEFINED CMAKE_TLS_VERIFY) - set(tls_verify "${CMAKE_TLS_VERIFY}") - endif() + _ep_get_tls_verify(${name} tls_verify) set(update_script "${tmp_dir}/${name}-gitupdate.cmake") list(APPEND file_deps ${update_script}) -- cgit v0.12 From 019960a52adf72397a7929af8210a60d0cf1d7ca Mon Sep 17 00:00:00 2001 From: Brad King Date: Wed, 28 Feb 2024 19:02:51 -0500 Subject: ExternalProject: Factor out helper to get TLS_CAINFO option --- Modules/ExternalProject.cmake | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index 54ce830..a21741d 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -1353,6 +1353,14 @@ function(_ep_get_tls_verify name tls_verify_var) set("${tls_verify_var}" "${tls_verify}" PARENT_SCOPE) endfunction() +function(_ep_get_tls_cainfo name tls_cainfo_var) + get_property(tls_cainfo TARGET ${name} PROPERTY _EP_TLS_CAINFO) + if("x${tls_cainfo}" STREQUAL "x" AND DEFINED CMAKE_TLS_CAINFO) + set(tls_cainfo "${CMAKE_TLS_CAINFO}") + endif() + set("${tls_cainfo_var}" "${tls_cainfo}" PARENT_SCOPE) +endfunction() + function(_ep_write_gitclone_script script_filename source_dir @@ -1576,13 +1584,14 @@ function(_ep_write_downloadfile_script endif() set(TLS_CAINFO_CODE "") + if(NOT "x${tls_cainfo}" STREQUAL "x") + set(TLS_CAINFO_CODE "set(CMAKE_TLS_CAINFO \"${tls_cainfo}\")") + endif() + set(NETRC_CODE "") set(NETRC_FILE_CODE "") # check for curl globals in the project - if(DEFINED CMAKE_TLS_CAINFO) - set(TLS_CAINFO_CODE "set(CMAKE_TLS_CAINFO \"${CMAKE_TLS_CAINFO}\")") - endif() if(DEFINED CMAKE_NETRC) set(NETRC_CODE "set(CMAKE_NETRC \"${CMAKE_NETRC}\")") endif() @@ -1593,11 +1602,6 @@ function(_ep_write_downloadfile_script # now check for curl locals so that the local values # will override the globals - # check for tls_cainfo argument - string(LENGTH "${tls_cainfo}" tls_cainfo_len) - if(tls_cainfo_len GREATER 0) - set(TLS_CAINFO_CODE "set(CMAKE_TLS_CAINFO \"${tls_cainfo}\")") - endif() # check for netrc argument string(LENGTH "${netrc}" netrc_len) if(netrc_len GREATER 0) @@ -3147,7 +3151,7 @@ hash=${hash} PROPERTY _EP_DOWNLOAD_NO_PROGRESS ) _ep_get_tls_verify(${name} tls_verify) - get_property(tls_cainfo TARGET ${name} PROPERTY _EP_TLS_CAINFO) + _ep_get_tls_cainfo(${name} tls_cainfo) get_property(netrc TARGET ${name} PROPERTY _EP_NETRC) get_property(netrc_file TARGET ${name} PROPERTY _EP_NETRC_FILE) get_property(http_username TARGET ${name} PROPERTY _EP_HTTP_USERNAME) -- cgit v0.12 From f0a36b1a7636e827893df9adc6c472023605e67e Mon Sep 17 00:00:00 2001 From: Brad King Date: Wed, 28 Feb 2024 19:10:29 -0500 Subject: ExternalProject: Factor out helper to get NETRC options --- Modules/ExternalProject.cmake | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index a21741d..2844b93 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -1361,6 +1361,22 @@ function(_ep_get_tls_cainfo name tls_cainfo_var) set("${tls_cainfo_var}" "${tls_cainfo}" PARENT_SCOPE) endfunction() +function(_ep_get_netrc name netrc_var) + get_property(netrc TARGET ${name} PROPERTY _EP_NETRC) + if("x${netrc}" STREQUAL "x" AND DEFINED CMAKE_NETRC) + set(netrc "${CMAKE_NETRC}") + endif() + set("${netrc_var}" "${netrc}" PARENT_SCOPE) +endfunction() + +function(_ep_get_netrc_file name netrc_file_var) + get_property(netrc_file TARGET ${name} PROPERTY _EP_NETRC_FILE) + if("x${netrc_file}" STREQUAL "x" AND DEFINED CMAKE_NETRC_FILE) + set(netrc_file "${CMAKE_NETRC_FILE}") + endif() + set("${netrc_file_var}" "${netrc_file}" PARENT_SCOPE) +endfunction() + function(_ep_write_gitclone_script script_filename source_dir @@ -1589,27 +1605,12 @@ function(_ep_write_downloadfile_script endif() set(NETRC_CODE "") - set(NETRC_FILE_CODE "") - - # check for curl globals in the project - if(DEFINED CMAKE_NETRC) - set(NETRC_CODE "set(CMAKE_NETRC \"${CMAKE_NETRC}\")") - endif() - if(DEFINED CMAKE_NETRC_FILE) - set(NETRC_FILE_CODE "set(CMAKE_NETRC_FILE \"${CMAKE_NETRC_FILE}\")") - endif() - - # now check for curl locals so that the local values - # will override the globals - - # check for netrc argument - string(LENGTH "${netrc}" netrc_len) - if(netrc_len GREATER 0) + if(NOT "x${netrc}" STREQUAL "x") set(NETRC_CODE "set(CMAKE_NETRC \"${netrc}\")") endif() - # check for netrc_file argument - string(LENGTH "${netrc_file}" netrc_file_len) - if(netrc_file_len GREATER 0) + + set(NETRC_FILE_CODE "") + if(NOT "x${netrc_file}" STREQUAL "x") set(NETRC_FILE_CODE "set(CMAKE_NETRC_FILE \"${netrc_file}\")") endif() @@ -3152,8 +3153,8 @@ hash=${hash} ) _ep_get_tls_verify(${name} tls_verify) _ep_get_tls_cainfo(${name} tls_cainfo) - get_property(netrc TARGET ${name} PROPERTY _EP_NETRC) - get_property(netrc_file TARGET ${name} PROPERTY _EP_NETRC_FILE) + _ep_get_netrc(${name} netrc) + _ep_get_netrc_file(${name} netrc_file) get_property(http_username TARGET ${name} PROPERTY _EP_HTTP_USERNAME) get_property(http_password TARGET ${name} PROPERTY _EP_HTTP_PASSWORD) get_property(http_headers TARGET ${name} PROPERTY _EP_HTTP_HEADER) -- cgit v0.12 From 2ef3bd9186e58d6486176417b5ef2de99b815820 Mon Sep 17 00:00:00 2001 From: Brad King Date: Mon, 26 Feb 2024 11:44:20 -0500 Subject: ExternalProject: Add TLS version options for https connections Add a `TLS_VERSION` option and honor `CMAKE_TLS_VERSION` variables. Also map the version to Git options as we already do for `TLS_VERIFY`. Issue: #25701 --- Help/envvar/CMAKE_TLS_VERSION.rst | 4 ++ Help/release/dev/curl-tls-version.rst | 6 +++ Help/variable/CMAKE_TLS_VERSION.rst | 4 ++ Modules/ExternalProject.cmake | 59 ++++++++++++++++++++++ Modules/ExternalProject/download.cmake.in | 1 + Modules/FetchContent.cmake | 1 + Tests/RunCMake/ExternalProject/RunCMakeTest.cmake | 3 ++ .../ExternalProject/TLSVersionBadArg-result.txt | 1 + .../ExternalProject/TLSVersionBadArg-stderr.txt | 10 ++++ .../ExternalProject/TLSVersionBadArg.cmake | 4 ++ .../ExternalProject/TLSVersionBadEnv-result.txt | 1 + .../ExternalProject/TLSVersionBadEnv-stderr.txt | 10 ++++ .../ExternalProject/TLSVersionBadEnv.cmake | 3 ++ .../ExternalProject/TLSVersionBadVar-result.txt | 1 + .../ExternalProject/TLSVersionBadVar-stderr.txt | 10 ++++ .../ExternalProject/TLSVersionBadVar.cmake | 4 ++ Tests/RunCMake/FetchContent/VarPassthroughs.cmake | 5 ++ 17 files changed, 127 insertions(+) create mode 100644 Tests/RunCMake/ExternalProject/TLSVersionBadArg-result.txt create mode 100644 Tests/RunCMake/ExternalProject/TLSVersionBadArg-stderr.txt create mode 100644 Tests/RunCMake/ExternalProject/TLSVersionBadArg.cmake create mode 100644 Tests/RunCMake/ExternalProject/TLSVersionBadEnv-result.txt create mode 100644 Tests/RunCMake/ExternalProject/TLSVersionBadEnv-stderr.txt create mode 100644 Tests/RunCMake/ExternalProject/TLSVersionBadEnv.cmake create mode 100644 Tests/RunCMake/ExternalProject/TLSVersionBadVar-result.txt create mode 100644 Tests/RunCMake/ExternalProject/TLSVersionBadVar-stderr.txt create mode 100644 Tests/RunCMake/ExternalProject/TLSVersionBadVar.cmake diff --git a/Help/envvar/CMAKE_TLS_VERSION.rst b/Help/envvar/CMAKE_TLS_VERSION.rst index 3bb2c97..c411861 100644 --- a/Help/envvar/CMAKE_TLS_VERSION.rst +++ b/Help/envvar/CMAKE_TLS_VERSION.rst @@ -10,3 +10,7 @@ Specify the default value for the :command:`file(DOWNLOAD)` and This environment variable is used if the option is not given and the :variable:`CMAKE_TLS_VERSION` cmake variable is not set. See that variable for allowed values. + +This variable is also used by the :module:`ExternalProject` and +:module:`FetchContent` modules for internal calls to +:command:`file(DOWNLOAD)` and ``git clone``. diff --git a/Help/release/dev/curl-tls-version.rst b/Help/release/dev/curl-tls-version.rst index 999e20c..4b7fe44 100644 --- a/Help/release/dev/curl-tls-version.rst +++ b/Help/release/dev/curl-tls-version.rst @@ -9,3 +9,9 @@ curl-tls-version environment variable were added to specify a default minimum TLS version for connections to ``https://`` URLs by the :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands. + +* The :module:`ExternalProject` module's :command:`ExternalProject_Add` + command gained a ``TLS_VERSION `` option, and support for the + :variable:`CMAKE_TLS_VERSION` variable and :envvar:`CMAKE_TLS_VERSION` + environment variable, to specify the minimum TLS version for connections + to ``https://`` URLs. diff --git a/Help/variable/CMAKE_TLS_VERSION.rst b/Help/variable/CMAKE_TLS_VERSION.rst index e4d9e7b..ed93081 100644 --- a/Help/variable/CMAKE_TLS_VERSION.rst +++ b/Help/variable/CMAKE_TLS_VERSION.rst @@ -17,3 +17,7 @@ The value may be one of: * ``1.2`` * ``1.3`` + +This variable is also used by the :module:`ExternalProject` and +:module:`FetchContent` modules for internal calls to +:command:`file(DOWNLOAD)` and ``git clone``. diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index 2844b93..5644cf5 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -225,6 +225,21 @@ URL Provides an arbitrary list of HTTP headers for the download operation. This can be useful for accessing content in systems like AWS, etc. +``TLS_VERSION `` + .. versionadded:: 3.30 + + Specify minimum TLS version for ``https://`` URLs. If this option is + not provided, the value of the :variable:`CMAKE_TLS_VERSION` variable + or the :envvar:`CMAKE_TLS_VERSION` environment variable will be used + instead (see :command:`file(DOWNLOAD)`). + + This option also applies to ``git clone`` invocations, although the + default behavior is different. If none of the ``TLS_VERSION`` option, + :variable:`CMAKE_TLS_VERSION` variable, or :envvar:`CMAKE_TLS_VERSION` + environment variable is specified, the behavior will be determined by + git's default or a ``http.sslVersion`` git config option the user may + have set at a global level. + ``TLS_VERIFY `` Specifies whether certificate verification should be performed for ``https://`` URLs. If this option is not provided, the default behavior @@ -1345,6 +1360,27 @@ define_property(DIRECTORY PROPERTY "EP_STEP_TARGETS" INHERITED) define_property(DIRECTORY PROPERTY "EP_INDEPENDENT_STEP_TARGETS" INHERITED) define_property(DIRECTORY PROPERTY "EP_UPDATE_DISCONNECTED" INHERITED) +function(_ep_get_tls_version name tls_version_var) + set(tls_version_regex "^1\\.[0-3]$") + get_property(tls_version TARGET ${name} PROPERTY _EP_TLS_VERSION) + if(NOT "x${tls_version}" STREQUAL "x") + if(NOT tls_version MATCHES "${tls_version_regex}") + message(FATAL_ERROR "TLS_VERSION '${tls_version}' not known") + endif() + elseif(NOT "x${CMAKE_TLS_VERSION}" STREQUAL "x") + set(tls_version "${CMAKE_TLS_VERSION}") + if(NOT tls_version MATCHES "${tls_version_regex}") + message(FATAL_ERROR "CMAKE_TLS_VERSION '${tls_version}' not known") + endif() + elseif(NOT "x$ENV{CMAKE_TLS_VERSION}" STREQUAL "x") + set(tls_version "$ENV{CMAKE_TLS_VERSION}") + if(NOT tls_version MATCHES "${tls_version_regex}") + message(FATAL_ERROR "ENV{CMAKE_TLS_VERSION} '${tls_version}' not known") + endif() + endif() + set("${tls_version_var}" "${tls_version}" PARENT_SCOPE) +endfunction() + function(_ep_get_tls_verify name tls_verify_var) get_property(tls_verify TARGET ${name} PROPERTY _EP_TLS_VERIFY) if("x${tls_verify}" STREQUAL "x" AND DEFINED CMAKE_TLS_VERIFY) @@ -1394,6 +1430,7 @@ function(_ep_write_gitclone_script work_dir gitclone_infofile gitclone_stampfile + tls_version tls_verify ) @@ -1439,6 +1476,10 @@ function(_ep_write_gitclone_script # same config option in the update step too for submodules, but not for # the main git repo. set(git_submodules_config_options "") + if(NOT "x${tls_version}" STREQUAL "x") + list(APPEND git_clone_options -c http.sslVersion=tlsv${tls_version}) + list(APPEND git_submodules_config_options -c http.sslVersion=tlsv${tls_version}) + endif() if(NOT "x${tls_verify}" STREQUAL "x") if(tls_verify) # Default git behavior is "true", but the user might have changed the @@ -1496,6 +1537,7 @@ function(_ep_write_gitupdate_script git_repository work_dir git_update_strategy + tls_version tls_verify ) @@ -1516,6 +1558,9 @@ function(_ep_write_gitupdate_script # We don't need to set it for the non-submodule update because it gets # recorded as part of the clone operation in a sticky manner. set(git_submodules_config_options "") + if(NOT "x${tls_version}" STREQUAL "x") + list(APPEND git_submodules_config_options -c http.sslVersion=tlsv${tls_version}) + endif() if(NOT "x${tls_verify}" STREQUAL "x") if(tls_verify) # Default git behavior is "true", but the user might have changed the @@ -1542,6 +1587,7 @@ function(_ep_write_downloadfile_script inactivity_timeout no_progress hash + tls_version tls_verify tls_cainfo userpwd @@ -1594,6 +1640,11 @@ function(_ep_write_downloadfile_script set(EXPECT_VALUE "") endif() + set(TLS_VERSION_CODE "") + if(NOT "x${tls_version}" STREQUAL "x") + set(TLS_VERSION_CODE "set(CMAKE_TLS_VERSION \"${tls_version}\")") + endif() + set(TLS_VERIFY_CODE "") if(NOT "x${tls_verify}" STREQUAL "x") set(TLS_VERIFY_CODE "set(CMAKE_TLS_VERIFY \"${tls_verify}\")") @@ -1630,6 +1681,7 @@ function(_ep_write_downloadfile_script endif() # Used variables: + # * TLS_VERSION_CODE # * TLS_VERIFY_CODE # * TLS_CAINFO_CODE # * ALGO @@ -2967,6 +3019,7 @@ function(_ep_add_download_command name) set(git_remote_name "origin") endif() + _ep_get_tls_version(${name} tls_version) _ep_get_tls_verify(${name} tls_verify) get_property(git_shallow TARGET ${name} PROPERTY _EP_GIT_SHALLOW) get_property(git_progress TARGET ${name} PROPERTY _EP_GIT_PROGRESS) @@ -3017,6 +3070,7 @@ CMP0097=${_EP_CMP0097} ${work_dir} ${stamp_dir}/${name}-gitinfo.txt ${stamp_dir}/${name}-gitclone-lastrun.txt + "${tls_version}" "${tls_verify}" ) set(comment "Performing download step (git clone) for '${name}'") @@ -3151,6 +3205,7 @@ hash=${hash} TARGET ${name} PROPERTY _EP_DOWNLOAD_NO_PROGRESS ) + _ep_get_tls_version(${name} tls_version) _ep_get_tls_verify(${name} tls_verify) _ep_get_tls_cainfo(${name} tls_cainfo) _ep_get_netrc(${name} netrc) @@ -3167,6 +3222,7 @@ hash=${hash} "${inactivity_timeout}" "${no_progress}" "${hash}" + "${tls_version}" "${tls_verify}" "${tls_cainfo}" "${http_username}:${http_password}" @@ -3477,6 +3533,7 @@ function(_ep_add_update_command name) _ep_get_git_submodules_recurse(git_submodules_recurse) + _ep_get_tls_version(${name} tls_version) _ep_get_tls_verify(${name} tls_verify) set(update_script "${tmp_dir}/${name}-gitupdate.cmake") @@ -3492,6 +3549,7 @@ function(_ep_add_update_command name) "${git_repository}" "${work_dir}" "${git_update_strategy}" + "${tls_version}" "${tls_verify}" ) set(cmd ${CMAKE_COMMAND} -Dcan_fetch=YES -P ${update_script}) @@ -4265,6 +4323,7 @@ function(ExternalProject_Add name) HTTP_USERNAME HTTP_PASSWORD HTTP_HEADER + TLS_VERSION # Also used for git clone operations TLS_VERIFY # Also used for git clone operations TLS_CAINFO NETRC diff --git a/Modules/ExternalProject/download.cmake.in b/Modules/ExternalProject/download.cmake.in index 0ad0dd3..2158ffd 100644 --- a/Modules/ExternalProject/download.cmake.in +++ b/Modules/ExternalProject/download.cmake.in @@ -111,6 +111,7 @@ foreach(i RANGE ${retry_number}) if(NOT url IN_LIST skip_url_list) message(STATUS "Using src='${url}'") + @TLS_VERSION_CODE@ @TLS_VERIFY_CODE@ @TLS_CAINFO_CODE@ @NETRC_CODE@ diff --git a/Modules/FetchContent.cmake b/Modules/FetchContent.cmake index 48cdaf4..3d58cb0 100644 --- a/Modules/FetchContent.cmake +++ b/Modules/FetchContent.cmake @@ -1650,6 +1650,7 @@ ExternalProject_Add_Step(${contentName}-populate copyfile set(__FETCHCONTENT_CACHED_INFO "") set(__passthrough_vars CMAKE_EP_GIT_REMOTE_UPDATE_STRATEGY + CMAKE_TLS_VERSION CMAKE_TLS_VERIFY CMAKE_TLS_CAINFO CMAKE_NETRC diff --git a/Tests/RunCMake/ExternalProject/RunCMakeTest.cmake b/Tests/RunCMake/ExternalProject/RunCMakeTest.cmake index ffaa46c..f16e479 100644 --- a/Tests/RunCMake/ExternalProject/RunCMakeTest.cmake +++ b/Tests/RunCMake/ExternalProject/RunCMakeTest.cmake @@ -15,6 +15,9 @@ endif() run_cmake(BadIndependentStep1) run_cmake(BadIndependentStep2) +run_cmake(TLSVersionBadArg) +run_cmake(TLSVersionBadVar) +run_cmake(TLSVersionBadEnv) run_cmake(NoOptions) run_cmake(SourceEmpty) run_cmake(SourceMissing) diff --git a/Tests/RunCMake/ExternalProject/TLSVersionBadArg-result.txt b/Tests/RunCMake/ExternalProject/TLSVersionBadArg-result.txt new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/Tests/RunCMake/ExternalProject/TLSVersionBadArg-result.txt @@ -0,0 +1 @@ +1 diff --git a/Tests/RunCMake/ExternalProject/TLSVersionBadArg-stderr.txt b/Tests/RunCMake/ExternalProject/TLSVersionBadArg-stderr.txt new file mode 100644 index 0000000..1231797 --- /dev/null +++ b/Tests/RunCMake/ExternalProject/TLSVersionBadArg-stderr.txt @@ -0,0 +1,10 @@ +^CMake Error at [^ +]*/Modules/ExternalProject\.cmake:[0-9]+ \(message\): + TLS_VERSION 'bad-arg' not known +Call Stack \(most recent call first\): + [^ +]*/Modules/ExternalProject\.cmake:[0-9]+ \(_ep_get_tls_version\) + [^ +]*/Modules/ExternalProject\.cmake:[0-9]+ \(_ep_add_download_command\) + TLSVersionBadArg\.cmake:[0-9]+ \(ExternalProject_Add\) + CMakeLists\.txt:[0-9]+ \(include\)$ diff --git a/Tests/RunCMake/ExternalProject/TLSVersionBadArg.cmake b/Tests/RunCMake/ExternalProject/TLSVersionBadArg.cmake new file mode 100644 index 0000000..d212982 --- /dev/null +++ b/Tests/RunCMake/ExternalProject/TLSVersionBadArg.cmake @@ -0,0 +1,4 @@ +include(ExternalProject) +set(ENV{CMAKE_TLS_VERSION} bad-env) +set(CMAKE_TLS_VERSION bad-var) +ExternalProject_Add(MyProj GIT_REPOSITORY "fake" TLS_VERSION bad-arg) diff --git a/Tests/RunCMake/ExternalProject/TLSVersionBadEnv-result.txt b/Tests/RunCMake/ExternalProject/TLSVersionBadEnv-result.txt new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/Tests/RunCMake/ExternalProject/TLSVersionBadEnv-result.txt @@ -0,0 +1 @@ +1 diff --git a/Tests/RunCMake/ExternalProject/TLSVersionBadEnv-stderr.txt b/Tests/RunCMake/ExternalProject/TLSVersionBadEnv-stderr.txt new file mode 100644 index 0000000..38b0fb8 --- /dev/null +++ b/Tests/RunCMake/ExternalProject/TLSVersionBadEnv-stderr.txt @@ -0,0 +1,10 @@ +^CMake Error at [^ +]*/Modules/ExternalProject\.cmake:[0-9]+ \(message\): + ENV{CMAKE_TLS_VERSION} 'bad-env' not known +Call Stack \(most recent call first\): + [^ +]*/Modules/ExternalProject\.cmake:[0-9]+ \(_ep_get_tls_version\) + [^ +]*/Modules/ExternalProject\.cmake:[0-9]+ \(_ep_add_download_command\) + TLSVersionBadEnv\.cmake:[0-9]+ \(ExternalProject_Add\) + CMakeLists\.txt:[0-9]+ \(include\)$ diff --git a/Tests/RunCMake/ExternalProject/TLSVersionBadEnv.cmake b/Tests/RunCMake/ExternalProject/TLSVersionBadEnv.cmake new file mode 100644 index 0000000..8018642 --- /dev/null +++ b/Tests/RunCMake/ExternalProject/TLSVersionBadEnv.cmake @@ -0,0 +1,3 @@ +include(ExternalProject) +set(ENV{CMAKE_TLS_VERSION} bad-env) +ExternalProject_Add(MyProj GIT_REPOSITORY "fake") diff --git a/Tests/RunCMake/ExternalProject/TLSVersionBadVar-result.txt b/Tests/RunCMake/ExternalProject/TLSVersionBadVar-result.txt new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/Tests/RunCMake/ExternalProject/TLSVersionBadVar-result.txt @@ -0,0 +1 @@ +1 diff --git a/Tests/RunCMake/ExternalProject/TLSVersionBadVar-stderr.txt b/Tests/RunCMake/ExternalProject/TLSVersionBadVar-stderr.txt new file mode 100644 index 0000000..aaec60b --- /dev/null +++ b/Tests/RunCMake/ExternalProject/TLSVersionBadVar-stderr.txt @@ -0,0 +1,10 @@ +^CMake Error at [^ +]*/Modules/ExternalProject\.cmake:[0-9]+ \(message\): + CMAKE_TLS_VERSION 'bad-var' not known +Call Stack \(most recent call first\): + [^ +]*/Modules/ExternalProject\.cmake:[0-9]+ \(_ep_get_tls_version\) + [^ +]*/Modules/ExternalProject\.cmake:[0-9]+ \(_ep_add_download_command\) + TLSVersionBadVar\.cmake:[0-9]+ \(ExternalProject_Add\) + CMakeLists\.txt:[0-9]+ \(include\)$ diff --git a/Tests/RunCMake/ExternalProject/TLSVersionBadVar.cmake b/Tests/RunCMake/ExternalProject/TLSVersionBadVar.cmake new file mode 100644 index 0000000..f52dd2e --- /dev/null +++ b/Tests/RunCMake/ExternalProject/TLSVersionBadVar.cmake @@ -0,0 +1,4 @@ +include(ExternalProject) +set(ENV{CMAKE_TLS_VERSION} bad-env) +set(CMAKE_TLS_VERSION bad-var) +ExternalProject_Add(MyProj GIT_REPOSITORY "fake") diff --git a/Tests/RunCMake/FetchContent/VarPassthroughs.cmake b/Tests/RunCMake/FetchContent/VarPassthroughs.cmake index ad743d8..279c127 100644 --- a/Tests/RunCMake/FetchContent/VarPassthroughs.cmake +++ b/Tests/RunCMake/FetchContent/VarPassthroughs.cmake @@ -5,6 +5,7 @@ set(CMAKE_TLS_VERIFY BBBB) set(CMAKE_TLS_CAINFO CCCC) set(CMAKE_NETRC DDDD) set(CMAKE_NETRC_FILE EEEE) +set(CMAKE_TLS_VERSION FFFF) FetchContent_Declare(PassThrough DOWNLOAD_COMMAND ${CMAKE_COMMAND} -E echo "Download command executed" @@ -21,6 +22,10 @@ if(NOT contents MATCHES "CMAKE_EP_GIT_REMOTE_UPDATE_STRATEGY \\[==\\[AAAA\\]==\\ message(FATAL_ERROR "Missing CMAKE_EP_GIT_REMOTE_UPDATE_STRATEGY") endif() +if(NOT contents MATCHES "CMAKE_TLS_VERSION \\[==\\[FFFF\\]==\\]") + message(FATAL_ERROR "Missing CMAKE_TLS_VERSION") +endif() + if(NOT contents MATCHES "CMAKE_TLS_VERIFY \\[==\\[BBBB\\]==\\]") message(FATAL_ERROR "Missing CMAKE_TLS_VERIFY") endif() -- cgit v0.12