Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(147)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: libcurl_http_fetcher.cc

Issue 5085002: AU: Restrict SSL ciphers to HIGH in official builds. (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/update_engine.git@master
Patch Set: Created 10 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved. 1 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "update_engine/libcurl_http_fetcher.h" 5 #include "update_engine/libcurl_http_fetcher.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <string> 8 #include <string>
9 9
10 #include <base/logging.h> 10 #include <base/logging.h>
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after
94 CURLE_OK); 94 CURLE_OK);
95 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_LOW_SPEED_TIME, 3 * 60), 95 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_LOW_SPEED_TIME, 3 * 60),
96 CURLE_OK); 96 CURLE_OK);
97 97
98 // By default, libcurl doesn't follow redirections. Allow up to 98 // By default, libcurl doesn't follow redirections. Allow up to
99 // |kMaxRedirects| redirections. 99 // |kMaxRedirects| redirections.
100 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_FOLLOWLOCATION, 1), CURLE_OK); 100 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_FOLLOWLOCATION, 1), CURLE_OK);
101 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_MAXREDIRS, kMaxRedirects), 101 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_MAXREDIRS, kMaxRedirects),
102 CURLE_OK); 102 CURLE_OK);
103 103
104 // Makes sure that peer certificate verification is enabled and restricts the 104 // Security lock-down in official builds: makes sure that peer certificate
105 // set of trusted certificates. 105 // verification is enabled, restricts the set of trusted certificates,
106 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1), CURLE_OK); 106 // restricts protocols to HTTPS, restricts ciphers to HIGH.
107 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH, kCACertificatesPath),
108 CURLE_OK);
109
110 // Restrict protocols to HTTPS in official builds.
111 if (IsOfficialBuild()) { 107 if (IsOfficialBuild()) {
108 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1),
109 CURLE_OK);
110 CHECK_EQ(curl_easy_setopt(curl_handle_,
111 CURLOPT_CAPATH,
112 kCACertificatesPath),
113 CURLE_OK);
112 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS), 114 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS),
113 CURLE_OK); 115 CURLE_OK);
114 CHECK_EQ(curl_easy_setopt(curl_handle_, 116 CHECK_EQ(curl_easy_setopt(curl_handle_,
115 CURLOPT_REDIR_PROTOCOLS, 117 CURLOPT_REDIR_PROTOCOLS,
116 CURLPROTO_HTTPS), 118 CURLPROTO_HTTPS),
117 CURLE_OK); 119 CURLE_OK);
120 CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_CIPHER_LIST, "HIGH"),
121 CURLE_OK);
118 } 122 }
119 123
120 CHECK_EQ(curl_multi_add_handle(curl_multi_handle_, curl_handle_), CURLM_OK); 124 CHECK_EQ(curl_multi_add_handle(curl_multi_handle_, curl_handle_), CURLM_OK);
121 transfer_in_progress_ = true; 125 transfer_in_progress_ = true;
122 } 126 }
123 127
124 // Begins the transfer, which must not have already been started. 128 // Begins the transfer, which must not have already been started.
125 void LibcurlHttpFetcher::BeginTransfer(const std::string& url) { 129 void LibcurlHttpFetcher::BeginTransfer(const std::string& url) {
126 transfer_size_ = -1; 130 transfer_size_ = -1;
127 resume_offset_ = 0; 131 resume_offset_ = 0;
(...skipping 236 matching lines...) Expand 10 before | Expand all | Expand 10 after
364 void LibcurlHttpFetcher::GetHttpResponseCode() { 368 void LibcurlHttpFetcher::GetHttpResponseCode() {
365 long http_response_code = 0; 369 long http_response_code = 0;
366 if (curl_easy_getinfo(curl_handle_, 370 if (curl_easy_getinfo(curl_handle_,
367 CURLINFO_RESPONSE_CODE, 371 CURLINFO_RESPONSE_CODE,
368 &http_response_code) == CURLE_OK) { 372 &http_response_code) == CURLE_OK) {
369 http_response_code_ = static_cast<int>(http_response_code); 373 http_response_code_ = static_cast<int>(http_response_code);
370 } 374 }
371 } 375 }
372 376
373 } // namespace chromeos_update_engine 377 } // namespace chromeos_update_engine
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698