Make hash checks mandatory for HTTP downloads.
Currently we've made all the checks for metadata size, metadata signature
and operation hashes as optional. While they are still optional if we use
HTTPS for downloading the payload, we want to make them mandatory in case
of HTTP, so as to support HTTP downloads.
In this CL, we make these checks mandatory if the Omaha response has a
HTTP URL. This will not affect any scenarios of our test team because they
always use HTTPS URLs for payload URLs. But this would break the dev tools
and our hardware test lab scenarios because they use HTTP URLs and do not
generate the required manifest signature yet. So we waive this requirement
for dev/test images even though they use HTTP.
This CL will not have any effect until we decide to add a HTTP rule in
Omaha, which serves as a safety knob till we are confident with our
testing.
BUG=chromium-os:36808
TEST=Existing unit tests pass. Added new unit tests for most new code.
TEST=Ran manual tests on ZGB for every type of hash failure for HTTP.
TEST=Tested image_to_live to make sure hash checks are waived as expected.
Change-Id: I8c4408e3052635ccf4bee0c848781733c1f8e984
Reviewed-on: https://gerrit.chromium.org/gerrit/39293
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Jay Srinivasan <jaysri@chromium.org>
Reviewed-by: Jay Srinivasan <jaysri@chromium.org>
Tested-by: Jay Srinivasan <jaysri@chromium.org>
diff --git a/omaha_response_handler_action.cc b/omaha_response_handler_action.cc
index e952a29..a181542 100644
--- a/omaha_response_handler_action.cc
+++ b/omaha_response_handler_action.cc
@@ -7,6 +7,7 @@
#include <string>
#include <base/logging.h>
+#include "base/string_util.h"
#include "update_engine/delta_performer.h"
#include "update_engine/prefs_interface.h"
@@ -38,7 +39,7 @@
install_plan_.payload_hash = response.hash;
install_plan_.metadata_size = response.metadata_size;
install_plan_.metadata_signature = response.metadata_signature;
-
+ install_plan_.hash_checks_mandatory = AreHashChecksMandatory(response);
install_plan_.is_resume =
DeltaPerformer::CanResumeUpdate(prefs_, response.hash);
if (!install_plan_.is_resume) {
@@ -88,4 +89,35 @@
return true;
}
+bool OmahaResponseHandlerAction::AreHashChecksMandatory(
+ const OmahaResponse& response) {
+ // All our internal testing uses dev server which doesn't generate metadata
+ // signatures yet. So, in order not to break image_to_live or other AU tools,
+ // we should waive the hash checks for those cases. Since all internal
+ // testing is done using a dev_image or test_image, we can use that as a
+ // criteria for waiving. This criteria reduces the attack surface as
+ // opposed to waiving the checks when we're in dev mode, because we do want
+ // to enforce the hash checks when our end customers run in dev mode if they
+ // are using an official build, so that they are protected more.
+ if (!utils::IsOfficialBuild()) {
+ LOG(INFO) << "Waiving payload hash checks for unofficial builds";
+ return false;
+ }
+
+ // TODO(jaysri): VALIDATION: For official builds, we currently waive hash
+ // checks for HTTPS until we have rolled out at least once and are confident
+ // nothing breaks. chromium-os:37082 tracks turning this on for HTTPS
+ // eventually.
+ if (StartsWithASCII(response.codebase, "https://", false)) {
+ LOG(INFO) << "Waiving payload hash checks since Omaha response "
+ << "only has HTTPS URL(s)";
+ return false;
+ }
+
+ // No exceptions apply. So hash checks are mandatory, by default.
+ LOG(INFO) << "Mandating payload hash checks since Omaha response "
+ << "contains HTTP URL(s)";
+ return true;
+}
+
} // namespace chromeos_update_engine