Merge topic 'curl-default-cainfo'

0abd3e53 cmake: Use a default CA path when not using system curl
6ce346c5 curl: Add CURL_CA_PATH option to CMake build process

CMakeLists.txt

@@ -287,6 +287,13 @@ macro (CMAKE_BUILD_UTILITIES)
     if(CMAKE_TESTS_CDASH_SERVER)
       set(CMAKE_CURL_TEST_URL "${CMAKE_TESTS_CDASH_SERVER}/user.php")
     endif()
+    option(CMAKE_USE_OPENSSL "Use OpenSSL." OFF)
+    mark_as_advanced(CMAKE_USE_OPENSSL)
+    if(CMAKE_USE_OPENSSL)
+      set(CURL_CA_BUNDLE "" CACHE FILEPATH "Path to SSL CA Certificate Bundle")
+      set(CURL_CA_PATH "" CACHE PATH "Path to SSL CA Certificate Directory")
+      mark_as_advanced(CURL_CA_BUNDLE CURL_CA_PATH)
+    endif()
     add_subdirectory(Utilities/cmcurl)
     CMAKE_SET_TARGET_FOLDER(cmcurl "Utilities/3rdParty")
     CMAKE_SET_TARGET_FOLDER(LIBCURL "Utilities/3rdParty")

Help/release/dev/curl-default-cainfo.rst

@@ -0,0 +1,8 @@
+curl-default-cainfo
+-------------------
+
+* When CMake is built with OpenSSL on systems other than Windows
+  and OS X, commands supporting network communication via ``https``,
+  such as :command:`file(DOWNLOAD)`, :command:`file(UPLOAD)`, and
+  :command:`ctest_submit`, now search for OS-configured certificate
+  authorities in a few ``/etc`` paths to be trusted automatically.

Source/CMakeLists.txt

@@ -175,6 +175,8 @@ set(SRCS
   cmCPackPropertiesGenerator.cxx
   cmCryptoHash.cxx
   cmCryptoHash.h
+  cmCurl.cxx
+  cmCurl.h
   cmCustomCommand.cxx
   cmCustomCommand.h
   cmCustomCommandGenerator.cxx
@@ -497,6 +499,12 @@ if(WIN32 AND NOT CYGWIN)
   install(TARGETS cmcldeps DESTINATION bin)
 endif()
 
+foreach(v CURL_CA_BUNDLE CURL_CA_PATH)
+  if(${v})
+    set_property(SOURCE cmCurl.cxx APPEND PROPERTY COMPILE_DEFINITIONS ${v}="${${v}}")
+  endif()
+endforeach()
+
 # create a library used by the command line and the GUI
 add_library(CMakeLib ${SRCS})
 target_link_libraries(CMakeLib cmsys

Source/CTest/cmCTestSubmitHandler.cxx

@@ -26,7 +26,7 @@
 
 #include <cm_jsoncpp_reader.h>
 // For curl submission
-#include "cm_curl.h"
+#include "cmCurl.h"
 #include "cmCTestCurl.h"
 
 #include <sys/stat.h>
@@ -366,6 +366,7 @@ bool cmCTestSubmitHandler::SubmitUsingHTTP(const std::string& localprefix,
     curl = curl_easy_init();
     if(curl)
       {
+      cmCurlSetCAInfo(curl);
       if(verifyPeerOff)
         {
         cmCTestLog(this->CTest, HANDLER_VERBOSE_OUTPUT,

Source/cmCTest.cxx

@@ -9,7 +9,7 @@
   implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
   See the License for more information.
 ============================================================================*/
-#include "cm_curl.h"
+#include "cmCurl.h" // include before anything that includes windows.h
 
 #include "cmCTest.h"
 #include "cmake.h"
@@ -192,6 +192,7 @@ int cmCTest::HTTPRequest(std::string url, HTTPMethod method,
   FILE* file;
   ::curl_global_init(CURL_GLOBAL_ALL);
   curl = ::curl_easy_init();
+  cmCurlSetCAInfo(curl);
 
   //set request options based on method
   switch(method)

Source/cmCurl.cxx

@@ -0,0 +1,64 @@
+/*============================================================================
+  CMake - Cross Platform Makefile Generator
+  Copyright 2000-2015 Kitware, Inc., Insight Software Consortium
+
+  Distributed under the OSI-approved BSD License (the "License");
+  see accompanying file Copyright.txt for details.
+
+  This software is distributed WITHOUT ANY WARRANTY; without even the
+  implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the License for more information.
+============================================================================*/
+#include "cmCurl.h"
+#include "cmSystemTools.h"
+
+#define check_curl_result(result, errstr)                               \
+  if (result != CURLE_OK)                                               \
+    {                                                                   \
+    e += e.empty()? "" : "\n";                                          \
+    e += errstr;                                                        \
+    e += ::curl_easy_strerror(result);                                  \
+    }
+
+//----------------------------------------------------------------------------
+std::string cmCurlSetCAInfo(::CURL *curl, const char* cafile)
+{
+  std::string e;
+  if(cafile && *cafile)
+    {
+    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+    }
+#if !defined(CMAKE_USE_SYSTEM_CURL) && \
+    !defined(_WIN32) && !defined(__APPLE__) && \
+    !defined(CURL_CA_BUNDLE) && !defined(CURL_CA_PATH)
+# define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
+  else if(cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true))
+    {
+    ::CURLcode res =
+      ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_FEDORA);
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+    }
+# undef CMAKE_CAFILE_FEDORA
+  else
+    {
+#   define CMAKE_CAFILE_COMMON "/etc/ssl/certs/ca-certificates.crt"
+    if(cmSystemTools::FileExists(CMAKE_CAFILE_COMMON, true))
+      {
+      ::CURLcode res =
+        ::curl_easy_setopt(curl, CURLOPT_CAINFO, CMAKE_CAFILE_COMMON);
+      check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+      }
+#   undef CMAKE_CAFILE_COMMON
+#   define CMAKE_CAPATH_COMMON "/etc/ssl/certs"
+    if(cmSystemTools::FileIsDirectory(CMAKE_CAPATH_COMMON))
+      {
+      ::CURLcode res =
+        ::curl_easy_setopt(curl, CURLOPT_CAPATH, CMAKE_CAPATH_COMMON);
+      check_curl_result(res, "Unable to set TLS/SSL Verify CAPATH: ");
+      }
+#   undef CMAKE_CAPATH_COMMON
+    }
+#endif
+  return e;
+}

Source/cmCurl.h

@@ -0,0 +1,21 @@
+/*============================================================================
+  CMake - Cross Platform Makefile Generator
+  Copyright 2000-2015 Kitware, Inc., Insight Software Consortium
+
+  Distributed under the OSI-approved BSD License (the "License");
+  see accompanying file Copyright.txt for details.
+
+  This software is distributed WITHOUT ANY WARRANTY; without even the
+  implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the License for more information.
+============================================================================*/
+#ifndef cmCurl_h
+#define cmCurl_h
+
+#include <cmsys/Configure.h>
+#include "cm_curl.h"
+#include "cmStandardIncludes.h"
+
+std::string cmCurlSetCAInfo(::CURL *curl, const char* cafile = 0);
+
+#endif

Source/cmFileCommand.cxx

@@ -20,7 +20,7 @@
 #include "cmTimestamp.h"
 
 #if defined(CMAKE_BUILD_WITH_CMAKE)
-#include "cm_curl.h"
+#include "cmCurl.h"
 #include "cmFileLockResult.h"
 #endif
 
@@ -3068,10 +3068,11 @@ cmFileCommand::HandleDownloadCommand(std::vector<std::string> const& args)
     }
   // check to see if a CAINFO file has been specified
   // command arg comes first
-  if(cainfo && *cainfo)
+  std::string const& cainfo_err = cmCurlSetCAInfo(curl, cainfo);
+  if (!cainfo_err.empty())
     {
-    res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cainfo);
+    this->SetError(cainfo_err);
-    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+    return false;
     }
 
   cmFileCommandVectorOfChar chunkDebug;

Utilities/cmcurl/CMakeLists.txt

@@ -425,9 +425,6 @@ endif()
 
 #-----------------------------------------------------------------------------
 
-option(CMAKE_USE_OPENSSL "Use OpenSSL code. Experimental" OFF)
-mark_as_advanced(CMAKE_USE_OPENSSL)
-
 set(USE_SSLEAY OFF)
 set(USE_OPENSSL OFF)
 set(HAVE_LIBCRYPTO OFF)
@@ -454,11 +451,13 @@ if(CMAKE_USE_OPENSSL)
     check_include_file("openssl/rand.h"   HAVE_OPENSSL_RAND_H)
 
     # Optionally build with a specific CA cert bundle.
-    set(CURL_CA_BUNDLE "" CACHE FILEPATH "Path to SSL CA Certificate Bundle")
-    mark_as_advanced(CURL_CA_BUNDLE)
     if(CURL_CA_BUNDLE)
       add_definitions(-DCURL_CA_BUNDLE="${CURL_CA_BUNDLE}")
     endif()
+    # Optionally build with a specific CA cert dir.
+    if(CURL_CA_PATH)
+      add_definitions(-DCURL_CA_PATH="${CURL_CA_PATH}")
+    endif()
   endif(OPENSSL_FOUND)
 elseif(WIN32)
   # Use Windows SSL/TLS native implementation.

Utilities/cmcurl/lib/curl_config.h.cmake

@@ -3,12 +3,6 @@
 /* when building libcurl itself */
 #cmakedefine BUILDING_LIBCURL 1
 
-/* Location of default ca bundle */
-#cmakedefine CURL_CA_BUNDLE ${CURL_CA_BUNDLE}
-
-/* Location of default ca path */
-#cmakedefine CURL_CA_PATH ${CURL_CA_PATH}
-
 /* to disable cookies support */
 #cmakedefine CURL_DISABLE_COOKIES 1