AU: Restrict the CA certificates to a smaller trusted set.
BUG=1969
TEST=unit tests, gmerged on device, updated successfully from
https://tools.google.com/service/update2; removed certs from directory
and update failed as expected
Change-Id: I18a04b0222a29249347aae56315bc35170063626
Review URL: http://codereview.chromium.org/3475026
diff --git a/libcurl_http_fetcher.cc b/libcurl_http_fetcher.cc
index 9989ba2..1dcea9e 100644
--- a/libcurl_http_fetcher.cc
+++ b/libcurl_http_fetcher.cc
@@ -16,6 +16,7 @@
namespace {
const int kMaxRetriesCount = 20;
+const char kCACertificatesPath[] = "/usr/share/update_engine/ca-certificates";
}
LibcurlHttpFetcher::~LibcurlHttpFetcher() {
@@ -63,11 +64,16 @@
// By default, libcurl doesn't follow redirections. Allow up to
// |kMaxRedirects| redirections.
- CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_FOLLOWLOCATION, 1),
- CURLE_OK);
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_FOLLOWLOCATION, 1), CURLE_OK);
CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_MAXREDIRS, kMaxRedirects),
CURLE_OK);
+ // Makes sure that peer certificate verification is enabled and restricts the
+ // set of trusted certificates.
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1), CURLE_OK);
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH, kCACertificatesPath),
+ CURLE_OK);
+
CHECK_EQ(curl_multi_add_handle(curl_multi_handle_, curl_handle_), CURLM_OK);
transfer_in_progress_ = true;
}