cmake: Modulize our TLS & hash detection

The interactions between `USE_HTTPS` and `SHA1_BACKEND` have been
streamlined. Previously we would have accepted not quite working
configurations (like, `-DUSE_HTTPS=OFF -DSHA1_BACKEND=OpenSSL`) and, as
the OpenSSL detection only ran with `USE_HTTPS`, the link would fail.

The detection was moved to a new `USE_SHA1`, modeled after `USE_HTTPS`,
which takes the values "CollisionDetection/Backend/Generic", to better
match how the "hashing backend" is selected, the default (ON) being
"CollisionDetection".

Note that, as `SHA1_BACKEND` is still used internally, you might need to
check what customization you're using it for.

Author: tiennou

CMakeLists.txt

@@ -52,11 +52,9 @@ OPTION(TAGS				"Generate tags"						OFF)
 OPTION(PROFILE				"Generate profiling information"			OFF)
 OPTION(ENABLE_TRACE			"Enables tracing support"				OFF)
 OPTION(LIBGIT2_FILENAME			"Name of the produced binary"				OFF)
-
-   SET(SHA1_BACKEND 			"CollisionDetection"			       CACHE STRING
-       "Backend to use for SHA1. One of Generic, OpenSSL, Win32, CommonCrypto, mbedTLS, CollisionDetection.")
 OPTION(USE_SSH				"Link with libssh2 to enable SSH support"		 ON)
 OPTION(USE_HTTPS			"Enable HTTPS support. Can be set to a specific backend" ON)
+OPTION(USE_SHA1				"Enable SHA1. Can be set to CollisionDetection(ON)/HTTPS/Generic" ON)
 OPTION(USE_GSSAPI			"Link with libgssapi for SPNEGO auth"			OFF)
 OPTION(USE_STANDALONE_FUZZERS		"Enable standalone fuzzers (compatible with gcc)"	OFF)
 OPTION(VALGRIND				"Configure build for valgrind"				OFF)

azure-pipelines.yml

@@ -29,7 +29,7 @@ jobs:
       imageName: 'libgit2/trusty-amd64:latest'
       environmentVariables: |
        CC=gcc
-       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DSHA1_BACKEND=mbedTLS -DDEPRECATE_HARD=ON
+       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DDEPRECATE_HARD=ON
        LEAK_CHECK=valgrind
 
 - job: linux_amd64_trusty_clang_openssl
@@ -55,7 +55,7 @@ jobs:
       imageName: 'libgit2/trusty-amd64:latest'
       environmentVariables: |
        CC=clang
-       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DSHA1_BACKEND=mbedTLS -DREGEX_BACKEND=pcre -DDEPRECATE_HARD=ON
+       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DREGEX_BACKEND=pcre -DDEPRECATE_HARD=ON
        LEAK_CHECK=valgrind
 
 - job: macos

azure-pipelines/nightly.yml

@@ -26,7 +26,7 @@ jobs:
       imageName: 'libgit2/trusty-amd64:latest'
       environmentVariables: |
        CC=gcc
-       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DSHA1_BACKEND=mbedTLS -DDEPRECATE_HARD=ON
+       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DDEPRECATE_HARD=ON
        LEAK_CHECK=valgrind
        RUN_INVASIVE_TESTS=true
 
@@ -54,7 +54,7 @@ jobs:
       imageName: 'libgit2/trusty-amd64:latest'
       environmentVariables: |
        CC=clang
-       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DSHA1_BACKEND=mbedTLS -DREGEX_BACKEND=pcre -DDEPRECATE_HARD=ON
+       CMAKE_OPTIONS=-DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DREGEX_BACKEND=pcre -DDEPRECATE_HARD=ON
        LEAK_CHECK=valgrind
        RUN_INVASIVE_TESTS=true
 

cmake/Modules/SelectHTTPSBackend.cmake

@@ -0,0 +1,126 @@
+# Select the backend to use
+
+# We try to find any packages our backends might use
+FIND_PACKAGE(OpenSSL)
+FIND_PACKAGE(mbedTLS)
+IF (CMAKE_SYSTEM_NAME MATCHES "Darwin")
+	FIND_PACKAGE(Security)
+	FIND_PACKAGE(CoreFoundation)
+ENDIF()
+
+# Auto-select TLS backend
+IF (USE_HTTPS STREQUAL ON)
+	message(ON)
+	IF (SECURITY_FOUND)
+		IF (SECURITY_HAS_SSLCREATECONTEXT)
+			SET(HTTPS_BACKEND "SecureTransport")
+		ELSE()
+			MESSAGE("-- Security framework is too old, falling back to OpenSSL")
+			SET(HTTPS_BACKEND "OpenSSL")
+		ENDIF()
+	ELSEIF (WINHTTP)
+		SET(HTTPS_BACKEND "WinHTTP")
+	ELSEIF(OPENSSL_FOUND)
+		SET(HTTPS_BACKEND "OpenSSL")
+	ELSEIF(MBEDTLS_FOUND)
+		SET(HTTPS_BACKEND "mbedTLS")
+	ELSE()
+		MESSAGE(FATAL_ERROR "Unable to autodetect a usable HTTPS backend."
+			"Please pass the backend name explicitly (-DUSE_HTTPS=backend)")
+	ENDIF()
+ELSEIF(USE_HTTPS)
+	message(expl)
+	# HTTPS backend was explicitly set
+	SET(HTTPS_BACKEND ${USE_HTTPS})
+ELSE()
+	SET(HTTPS_BACKEND NO)
+ENDIF()
+
+IF(HTTPS_BACKEND)
+	# Check that we can find what's required for the selected backend
+	IF (HTTPS_BACKEND STREQUAL "SecureTransport")
+		IF (NOT COREFOUNDATION_FOUND)
+			MESSAGE(FATAL_ERROR "Cannot use SecureTransport backend, CoreFoundation.framework not found")
+		ENDIF()
+		IF (NOT SECURITY_FOUND)
+			MESSAGE(FATAL_ERROR "Cannot use SecureTransport backend, Security.framework not found")
+		ENDIF()
+		IF (NOT SECURITY_HAS_SSLCREATECONTEXT)
+			MESSAGE(FATAL_ERROR "Cannot use SecureTransport backend, SSLCreateContext not supported")
+		ENDIF()
+
+		SET(GIT_SECURE_TRANSPORT 1)
+		LIST(APPEND LIBGIT2_SYSTEM_INCLUDES ${SECURITY_INCLUDE_DIR})
+		LIST(APPEND LIBGIT2_LIBS ${COREFOUNDATION_LIBRARIES} ${SECURITY_LIBRARIES})
+		LIST(APPEND LIBGIT2_PC_LIBS ${COREFOUNDATION_LDFLAGS} ${SECURITY_LDFLAGS})
+	ELSEIF (HTTPS_BACKEND STREQUAL "OpenSSL")
+		IF (NOT OPENSSL_FOUND)
+			MESSAGE(FATAL_ERROR "Asked for OpenSSL TLS backend, but it wasn't found")
+		ENDIF()
+
+		SET(GIT_OPENSSL 1)
+		LIST(APPEND LIBGIT2_SYSTEM_INCLUDES ${OPENSSL_INCLUDE_DIR})
+		LIST(APPEND LIBGIT2_LIBS ${OPENSSL_LIBRARIES})
+		LIST(APPEND LIBGIT2_PC_LIBS ${OPENSSL_LDFLAGS})
+		LIST(APPEND LIBGIT2_PC_REQUIRES "openssl")
+	ELSEIF(HTTPS_BACKEND STREQUAL "mbedTLS")
+		IF (NOT MBEDTLS_FOUND)
+			MESSAGE(FATAL_ERROR "Asked for mbedTLS backend, but it wasn't found")
+		ENDIF()
+
+		IF(NOT CERT_LOCATION)
+			MESSAGE("Auto-detecting default certificates location")
+			IF(CMAKE_SYSTEM_NAME MATCHES Darwin)
+				# Check for an Homebrew installation
+				SET(OPENSSL_CMD "/usr/local/opt/openssl/bin/openssl")
+			ELSE()
+				SET(OPENSSL_CMD "openssl")
+			ENDIF()
+			EXECUTE_PROCESS(COMMAND ${OPENSSL_CMD} version -d OUTPUT_VARIABLE OPENSSL_DIR OUTPUT_STRIP_TRAILING_WHITESPACE)
+			IF(OPENSSL_DIR)
+				STRING(REGEX REPLACE "^OPENSSLDIR: \"(.*)\"$" "\\1/" OPENSSL_DIR ${OPENSSL_DIR})
+
+				SET(OPENSSL_CA_LOCATIONS
+					"ca-bundle.pem"             # OpenSUSE Leap 42.1
+					"cert.pem"                  # Ubuntu 14.04, FreeBSD
+					"certs/ca-certificates.crt" # Ubuntu 16.04
+					"certs/ca.pem"              # Debian 7
+				)
+				FOREACH(SUFFIX IN LISTS OPENSSL_CA_LOCATIONS)
+					SET(LOC "${OPENSSL_DIR}${SUFFIX}")
+					IF(NOT CERT_LOCATION AND EXISTS "${OPENSSL_DIR}${SUFFIX}")
+						SET(CERT_LOCATION ${LOC})
+					ENDIF()
+				ENDFOREACH()
+			ELSE()
+				MESSAGE("Unable to find OpenSSL executable. Please provide default certificate location via CERT_LOCATION")
+			ENDIF()
+		ENDIF()
+
+		IF(CERT_LOCATION)
+			IF(NOT EXISTS ${CERT_LOCATION})
+				MESSAGE(FATAL_ERROR "Cannot use CERT_LOCATION=${CERT_LOCATION} as it doesn't exist")
+			ENDIF()
+			ADD_FEATURE_INFO(CERT_LOCATION ON "using certificates from ${CERT_LOCATION}")
+			ADD_DEFINITIONS(-DGIT_DEFAULT_CERT_LOCATION="${CERT_LOCATION}")
+		ENDIF()
+
+		SET(GIT_MBEDTLS 1)
+		LIST(APPEND LIBGIT2_SYSTEM_INCLUDES ${MBEDTLS_INCLUDE_DIR})
+		LIST(APPEND LIBGIT2_LIBS ${MBEDTLS_LIBRARIES})
+		# mbedTLS has no pkgconfig file, hence we can't require it
+		# https://github.com/ARMmbed/mbedtls/issues/228
+		# For now, pass its link flags as our own
+		LIST(APPEND LIBGIT2_PC_LIBS ${MBEDTLS_LIBRARIES})
+	ELSEIF (HTTPS_BACKEND STREQUAL "WinHTTP")
+		# WinHTTP setup was handled in the WinHTTP-specific block above
+	ELSE()
+		MESSAGE(FATAL_ERROR "Asked for backend ${HTTPS_BACKEND} but it wasn't found")
+	ENDIF()
+
+	SET(GIT_HTTPS 1)
+	ADD_FEATURE_INFO(HTTPS GIT_HTTPS "using ${HTTPS_BACKEND}")
+ELSE()
+	SET(GIT_HTTPS 0)
+	ADD_FEATURE_INFO(HTTPS NO "")
+ENDIF()

cmake/Modules/SelectHashes.cmake

@@ -0,0 +1,64 @@
+# Select a hash backend
+
+# USE_SHA1=CollisionDetection(ON)/HTTPS/Generic/OFF
+
+IF(USE_SHA1 STREQUAL ON OR USE_SHA1 STREQUAL "CollisionDetection")
+	SET(SHA1_BACKEND "CollisionDetection")
+ELSEIF(USE_SHA1 STREQUAL "HTTPS")
+	message("Checking HTTPS backend… ${HTTPS_BACKEND}")
+	IF(HTTPS_BACKEND STREQUAL "SecureTransport")
+		SET(SHA1_BACKEND "CommonCrypto")
+	ELSEIF(HTTPS_BACKEND STREQUAL "WinHTTP")
+		SET(SHA1_BACKEND "Win32")
+	ELSEIF(HTTPS_BACKEND)
+		SET(SHA1_BACKEND ${HTTPS_BACKEND})
+	ELSE()
+	ENDIF()
+	IF(NOT HTTPS_BACKEND)
+		SET(SHA1_BACKEND "CollisionDetection")
+	ENDIF()
+	message(STATUS "Using SHA1 backend ${SHA1_BACKEND}")
+ELSEIF(USE_SHA1 STREQUAL "Generic")
+	SET(SHA1_BACKEND "Generic")
+# ELSEIF(NOT USE_SHA1)
+ELSE()
+	MESSAGE(FATAL_ERROR "Invalid value for USE_SHA1: ${USE_SHA1}")
+ENDIF()
+
+IF(SHA1_BACKEND STREQUAL "CollisionDetection")
+	SET(GIT_SHA1_COLLISIONDETECT 1)
+	ADD_DEFINITIONS(-DSHA1DC_NO_STANDARD_INCLUDES=1)
+	ADD_DEFINITIONS(-DSHA1DC_CUSTOM_INCLUDE_SHA1_C=\"common.h\")
+	ADD_DEFINITIONS(-DSHA1DC_CUSTOM_INCLUDE_UBC_CHECK_C=\"common.h\")
+	FILE(GLOB SRC_SHA1 hash/hash_collisiondetect.c hash/sha1dc/*)
+ELSEIF(SHA1_BACKEND STREQUAL "OpenSSL")
+	# OPENSSL_FOUND should already be set, we're checking HTTPS_BACKEND
+
+	SET(GIT_SHA1_OPENSSL 1)
+	IF(CMAKE_SYSTEM_NAME MATCHES "FreeBSD")
+		LIST(APPEND LIBGIT2_PC_LIBS "-lssl")
+	ELSE()
+		LIST(APPEND LIBGIT2_PC_REQUIRES "openssl")
+	ENDIF()
+ELSEIF(SHA1_BACKEND STREQUAL "CommonCrypto")
+	SET(GIT_SHA1_COMMON_CRYPTO 1)
+ELSEIF(SHA1_BACKEND STREQUAL "mbedTLS")
+	SET(GIT_SHA1_MBEDTLS 1)
+	FILE(GLOB SRC_SHA1 hash/hash_mbedtls.c)
+	LIST(APPEND LIBGIT2_SYSTEM_INCLUDES ${MBEDTLS_INCLUDE_DIR})
+	LIST(APPEND LIBGIT2_LIBS ${MBEDTLS_LIBRARIES})
+	# mbedTLS has no pkgconfig file, hence we can't require it
+	# https://github.com/ARMmbed/mbedtls/issues/228
+	# For now, pass its link flags as our own
+	LIST(APPEND LIBGIT2_PC_LIBS ${MBEDTLS_LIBRARIES})
+ELSEIF(SHA1_BACKEND STREQUAL "Win32")
+	SET(GIT_SHA1_WIN32 1)
+	FILE(GLOB SRC_SHA1 hash/hash_win32.c)
+ELSEIF(SHA1_BACKEND STREQUAL "Generic")
+	FILE(GLOB SRC_SHA1 hash/hash_generic.c)
+# ELSEIF(NOT USE_SHA1)
+ELSE()
+	MESSAGE(FATAL_ERROR "Asked for unknown SHA1 backend: ${SHA1_BACKEND}")
+ENDIF()
+
+ADD_FEATURE_INFO(SHA ON "using ${SHA1_BACKEND}")

docs/changelog.md

@@ -10,6 +10,13 @@ v0.28 + 1
   system http-parser implementation despite incompatibilities, you can
   specify `-DUSE_HTTP_PARSER=system` to CMake.
 
+* The interactions between `USE_HTTPS` and `SHA1_BACKEND` have been
+  streamlined. The detection was moved to a new `USE_SHA1`, modeled after
+  `USE_HTTPS`, which takes the values "CollisionDetection/Backend/Generic", to
+  better match how the "hashing backend" is selected, the default (ON) being
+  "CollisionDetection". If you were using `SHA1_BACKEND` previously, you'll
+  need to check the value you've used, or switch to the autodetection.
+
 ### Changes or improvements
 
 * libgit2 can now correctly cope with URLs where the host contains a colon