file(UPLOAD): Add support for TLS_VERIFY and TLS_CAINFO

* Improve and test err messages when TLS_VERIFY and TLS_CAINFO
  are not set in file(DOWNLOAD) and file(UPLOAD).

Help/command/file.rst

@@ -836,6 +836,18 @@ Options to both ``DOWNLOAD`` and ``UPLOAD`` are:
 If neither ``NETRC`` option is given CMake will check variables
 ``CMAKE_NETRC`` and ``CMAKE_NETRC_FILE``, respectively.
 
+``TLS_VERIFY <ON|OFF>``
+  Specify whether to verify the server certificate for ``https://`` URLs.
+  The default is to *not* verify.
+
+``TLS_CAINFO <file>``
+  Specify a custom Certificate Authority file for ``https://`` URLs.
+
+For ``https://`` URLs CMake must be built with OpenSSL support.  ``TLS/SSL``
+certificates are not checked by default.  Set ``TLS_VERIFY`` to ``ON`` to
+check certificates. If neither ``TLS`` option is given CMake will check
+variables ``CMAKE_TLS_VERIFY`` and ``CMAKE_TLS_CAINFO``, respectively.
+
 Additional options to ``DOWNLOAD`` are:
 
 ``EXPECTED_HASH ALGO=<value>``
@@ -847,19 +859,6 @@ Additional options to ``DOWNLOAD`` are:
 ``EXPECTED_MD5 <value>``
   Historical short-hand for ``EXPECTED_HASH MD5=<value>``.
 
-``TLS_VERIFY <ON|OFF>``
-  Specify whether to verify the server certificate for ``https://`` URLs.
-  The default is to *not* verify.
-
-``TLS_CAINFO <file>``
-  Specify a custom Certificate Authority file for ``https://`` URLs.
-
-For ``https://`` URLs CMake must be built with OpenSSL support.  ``TLS/SSL``
-certificates are not checked by default.  Set ``TLS_VERIFY`` to ``ON`` to
-check certificates and/or use ``EXPECTED_HASH`` to verify downloaded content.
-If neither ``TLS`` option is given CMake will check variables
-``CMAKE_TLS_VERIFY`` and ``CMAKE_TLS_CAINFO``, respectively.
-
 Locking
 ^^^^^^^
 

Help/release/dev/file-upload-tls.rst

@@ -0,0 +1,5 @@
+file-upload-tls
+---------------
+
+* The :command:`file(UPLOAD)` command gained ``TLS_VERIFY`` and ``TLS_CAINFO``
+  options to control server certificate verification.

Source/cmFileCommand.cxx

@@ -1610,7 +1610,7 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
       if (i != args.end()) {
         tls_verify = cmIsOn(*i);
       } else {
-        status.SetError("TLS_VERIFY missing bool value.");
+        status.SetError("DOWNLOAD missing bool value for TLS_VERIFY.");
         return false;
       }
     } else if (*i == "TLS_CAINFO") {
@@ -1618,7 +1618,7 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
       if (i != args.end()) {
         cainfo = i->c_str();
       } else {
-        status.SetError("TLS_CAFILE missing file value.");
+        status.SetError("DOWNLOAD missing file value for TLS_CAINFO.");
         return false;
       }
     } else if (*i == "NETRC_FILE") {
@@ -1760,11 +1760,12 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
   // check to see if TLS verification is requested
   if (tls_verify) {
     res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
-    check_curl_result(res, "Unable to set TLS/SSL Verify on: ");
+    check_curl_result(res, "DOWNLOAD cannot set TLS/SSL Verify on: ");
   } else {
     res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
-    check_curl_result(res, "Unable to set TLS/SSL Verify off: ");
+    check_curl_result(res, "DOWNLOAD cannot set TLS/SSL Verify off: ");
   }
+
   // check to see if a CAINFO file has been specified
   // command arg comes first
   std::string const& cainfo_err = cmCurlSetCAInfo(curl, cainfo);
@@ -1929,6 +1930,8 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
   std::string logVar;
   std::string statusVar;
   bool showProgress = false;
+  bool tls_verify = status.GetMakefile().IsOn("CMAKE_TLS_VERIFY");
+  const char* cainfo = status.GetMakefile().GetDefinition("CMAKE_TLS_CAINFO");
   std::string userpwd;
   std::string netrc_level =
     status.GetMakefile().GetSafeDefinition("CMAKE_NETRC");
@@ -1970,6 +1973,22 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
       statusVar = *i;
     } else if (*i == "SHOW_PROGRESS") {
       showProgress = true;
+    } else if (*i == "TLS_VERIFY") {
+      ++i;
+      if (i != args.end()) {
+        tls_verify = cmIsOn(*i);
+      } else {
+        status.SetError("UPLOAD missing bool value for TLS_VERIFY.");
+        return false;
+      }
+    } else if (*i == "TLS_CAINFO") {
+      ++i;
+      if (i != args.end()) {
+        cainfo = i->c_str();
+      } else {
+        status.SetError("UPLOAD missing file value for TLS_CAINFO.");
+        return false;
+      }
     } else if (*i == "NETRC_FILE") {
       ++i;
       if (i != args.end()) {
@@ -2055,8 +2074,18 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
                            cmFileCommandCurlDebugCallback);
   check_curl_result(res, "UPLOAD cannot set debug function: ");
 
-  // make sure default CAInfo is set
-  std::string const& cainfo_err = cmCurlSetCAInfo(curl, nullptr);
+  // check to see if TLS verification is requested
+  if (tls_verify) {
+    res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
+    check_curl_result(res, "UPLOAD cannot set TLS/SSL Verify on: ");
+  } else {
+    res = ::curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+    check_curl_result(res, "UPLOAD cannot set TLS/SSL Verify off: ");
+  }
+
+  // check to see if a CAINFO file has been specified
+  // command arg comes first
+  std::string const& cainfo_err = cmCurlSetCAInfo(curl, cainfo);
   if (!cainfo_err.empty()) {
     status.SetError(cainfo_err);
     return false;

Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-result.txt

@@ -0,0 +1 @@
+1

Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set-stderr.txt

@@ -0,0 +1,4 @@
+^CMake Error at DOWNLOAD-tls-cainfo-not-set.cmake:[0-9]+ \(file\):
+  file DOWNLOAD missing file value for TLS_CAINFO.
+Call Stack \(most recent call first\):
+  CMakeLists.txt:[0-9]+ \(include\)$

Tests/RunCMake/file/DOWNLOAD-tls-cainfo-not-set.cmake

@@ -0,0 +1 @@
+file(DOWNLOAD "" "" TLS_CAINFO)

Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-result.txt

@@ -0,0 +1 @@
+1

Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set-stderr.txt

@@ -0,0 +1,4 @@
+^CMake Error at DOWNLOAD-tls-verify-not-set.cmake:[0-9]+ \(file\):
+  file DOWNLOAD missing bool value for TLS_VERIFY.
+Call Stack \(most recent call first\):
+  CMakeLists.txt:[0-9]+ \(include\)$

Tests/RunCMake/file/DOWNLOAD-tls-verify-not-set.cmake

@@ -0,0 +1 @@
+file(DOWNLOAD "" "" TLS_VERIFY)

Tests/RunCMake/file/RunCMakeTest.cmake

@@ -8,6 +8,8 @@ run_cmake(DOWNLOAD-hash-mismatch)
 run_cmake(DOWNLOAD-unused-argument)
 run_cmake(DOWNLOAD-httpheader-not-set)
 run_cmake(DOWNLOAD-netrc-bad)
+run_cmake(DOWNLOAD-tls-cainfo-not-set)
+run_cmake(DOWNLOAD-tls-verify-not-set)
 run_cmake(DOWNLOAD-pass-not-set)
 run_cmake(TOUCH)
 run_cmake(TOUCH-error-in-source-directory)
@@ -15,6 +17,8 @@ run_cmake(TOUCH-error-missing-directory)
 run_cmake(UPLOAD-unused-argument)
 run_cmake(UPLOAD-httpheader-not-set)
 run_cmake(UPLOAD-netrc-bad)
+run_cmake(UPLOAD-tls-cainfo-not-set)
+run_cmake(UPLOAD-tls-verify-not-set)
 run_cmake(UPLOAD-pass-not-set)
 run_cmake(INSTALL-DIRECTORY)
 run_cmake(INSTALL-FILES_FROM_DIR)

Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-result.txt

@@ -0,0 +1 @@
+1

Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set-stderr.txt

@@ -0,0 +1,4 @@
+^CMake Error at UPLOAD-tls-cainfo-not-set.cmake:[0-9]+ \(file\):
+  file UPLOAD missing file value for TLS_CAINFO.
+Call Stack \(most recent call first\):
+  CMakeLists.txt:[0-9]+ \(include\)$

Tests/RunCMake/file/UPLOAD-tls-cainfo-not-set.cmake

@@ -0,0 +1 @@
+file(UPLOAD "" "" TLS_CAINFO)

Tests/RunCMake/file/UPLOAD-tls-verify-not-set-result.txt

@@ -0,0 +1 @@
+1

Tests/RunCMake/file/UPLOAD-tls-verify-not-set-stderr.txt

@@ -0,0 +1,4 @@
+^CMake Error at UPLOAD-tls-verify-not-set.cmake:[0-9]+ \(file\):
+  file UPLOAD missing bool value for TLS_VERIFY.
+Call Stack \(most recent call first\):
+  CMakeLists.txt:[0-9]+ \(include\)$

Tests/RunCMake/file/UPLOAD-tls-verify-not-set.cmake

@@ -0,0 +1 @@
+file(UPLOAD "" "" TLS_VERIFY)