libcurl_http_fetcher.cc - Issue 3475026: AU: Restrict the CA certificates to a smaller trusted set.

Side by Side Diff: libcurl_http_fetcher.cc

Issue 3475026: AU: Restrict the CA certificates to a smaller trusted set. (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/update_engine.git

Patch Set: save vertical space Created 10 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved.	1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "update_engine/libcurl_http_fetcher.h"	5 #include "update_engine/libcurl_http_fetcher.h"

6 #include <algorithm>	6 #include <algorithm>

7 #include "base/logging.h"	7 #include "base/logging.h"

8	8

9 using std::max;	9 using std::max;

10 using std::make_pair;	10 using std::make_pair;

11	11

12 // This is a concrete implementation of HttpFetcher that uses libcurl to do the	12 // This is a concrete implementation of HttpFetcher that uses libcurl to do the

13 // http work.	13 // http work.

14	14

15 namespace chromeos_update_engine {	15 namespace chromeos_update_engine {

16	16

17 namespace {	17 namespace {

18 const int kMaxRetriesCount = 20;	18 const int kMaxRetriesCount = 20;

	19 const char kCACertificatesPath[] = "/usr/share/update_engine/ca-certificates";
	Chris Masone 2010/09/28 18:16:41 I forget...is /usr/share on the stateful partition I forget...is /usr/share on the stateful partition or not? petkov 2010/09/28 19:17:18 /usr/share is not a special mount -- it's off of / Show quoted text On 2010/09/28 18:16:41, Chris Masone wrote: > I forget...is /usr/share on the stateful partition or not? /usr/share is not a special mount -- it's off of / (i.e., it's read-only, not part of stateful). Also, according to http://www.pathname.com/fhs/2.2/fhs-4.11.html, /usr/share is for read-only data files, so I think it all makes sense.
19 }	20 }

20	21

21 LibcurlHttpFetcher::~LibcurlHttpFetcher() {	22 LibcurlHttpFetcher::~LibcurlHttpFetcher() {

22 CleanUp();	23 CleanUp();

23 }	24 }

24	25

25 void LibcurlHttpFetcher::ResumeTransfer(const std::string& url) {	26 void LibcurlHttpFetcher::ResumeTransfer(const std::string& url) {

26 LOG(INFO) << "Starting/Resuming transfer";	27 LOG(INFO) << "Starting/Resuming transfer";

27 CHECK(!transfer_in_progress_);	28 CHECK(!transfer_in_progress_);

28 url_ = url;	29 url_ = url;

(...skipping 27 matching lines...) Expand all Loading...
56 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_URL, url_.c_str()), CURLE_OK);	57 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_URL, url_.c_str()), CURLE_OK);

57	58

58 // If the connection drops under 10 bytes/sec for 3 minutes, reconnect.	59 // If the connection drops under 10 bytes/sec for 3 minutes, reconnect.

59 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_LOW_SPEED_LIMIT, 10),	60 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_LOW_SPEED_LIMIT, 10),

60 CURLE_OK);	61 CURLE_OK);

61 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_LOW_SPEED_TIME, 3 * 60),	62 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_LOW_SPEED_TIME, 3 * 60),

62 CURLE_OK);	63 CURLE_OK);

63	64

64 // By default, libcurl doesn't follow redirections. Allow up to	65 // By default, libcurl doesn't follow redirections. Allow up to

65 // \|kMaxRedirects\| redirections.	66 // \|kMaxRedirects\| redirections.

66 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_FOLLOWLOCATION, 1),	67 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_FOLLOWLOCATION, 1), CURLE_OK);

	68 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_MAXREDIRS, kMaxRedirects),

67 CURLE_OK);	69 CURLE_OK);

68 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_MAXREDIRS, kMaxRedirects),	70

	71 // Makes sure that peer certificate verification is enabled and restricts the

	72 // set of trusted certificates.

	73 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1), CURLE_OK);

	74 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH, kCACertificatesPath),

69 CURLE_OK);	75 CURLE_OK);

70	76

71 CHECK_EQ(curl_multi_add_handle(curl_multi_handle_, curl_handle_), CURLM_OK);	77 CHECK_EQ(curl_multi_add_handle(curl_multi_handle_, curl_handle_), CURLM_OK);

72 transfer_in_progress_ = true;	78 transfer_in_progress_ = true;

73 }	79 }

74	80

75 // Begins the transfer, which must not have already been started.	81 // Begins the transfer, which must not have already been started.

76 void LibcurlHttpFetcher::BeginTransfer(const std::string& url) {	82 void LibcurlHttpFetcher::BeginTransfer(const std::string& url) {

77 transfer_size_ = -1;	83 transfer_size_ = -1;

78 bytes_downloaded_ = 0;	84 bytes_downloaded_ = 0;

(...skipping 203 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
282 curl_handle_ = NULL;	288 curl_handle_ = NULL;

283 }	289 }

284 if (curl_multi_handle_) {	290 if (curl_multi_handle_) {

285 CHECK_EQ(curl_multi_cleanup(curl_multi_handle_), CURLM_OK);	291 CHECK_EQ(curl_multi_cleanup(curl_multi_handle_), CURLM_OK);

286 curl_multi_handle_ = NULL;	292 curl_multi_handle_ = NULL;

287 }	293 }

288 transfer_in_progress_ = false;	294 transfer_in_progress_ = false;

289 }	295 }

290	296

291 } // namespace chromeos_update_engine	297 } // namespace chromeos_update_engine

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »