commit 84634dc7ae13a4e887937bded8f9486a2869e73c
author Alex Khouderchah <akhouderchah@chromium.org> Thu Apr 04 09:25:39 2019 -0700
committer chrome-bot <chrome-bot@chromium.org> Tue Apr 23 02:43:53 2019 -0700
tree 1d1fa072aa650a48160f726d5c9f83d21aea12e6
parent 41ac04b6e8bc9e30d8436171f3eb54e3958e8cd6

update_engine: Only use CAPATH for certificate verification

libcurl has the sometimes unexpected behavior that CAINFO will always
be preferred over CAPATH for certificate verification when
non-null. In this case, that means root certificates in both
/etc/ssl/certs and /usr/share/chromeos-ca-certificates will be used
when only root certificates in the latter directory are expected to be
used. Setting CAINFO to null will ensure that only CAPATH is used.

BUG=chromium:949426
TEST=-All unit tests are passing.
     -Pre-CQ is passing.

Change-Id: I7ae231881ab47353c8f4637ce48f69c834fc307f
Reviewed-on: https://chromium-review.googlesource.com/1553463
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Alex Khouderchah <akhouderchah@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Xiaochu Liu <xiaochu@chromium.org>

libcurl_http_fetcher.cc

diff --git a/libcurl_http_fetcher.cc b/libcurl_http_fetcher.cc
index ce3475d..4e33671 100644
--- a/libcurl_http_fetcher.cc
+++ b/libcurl_http_fetcher.cc
@@ -305,6 +305,7 @@
   LOG(INFO) << "Setting up curl options for HTTPS";
   CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1), CURLE_OK);
   CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYHOST, 2), CURLE_OK);
+  CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAINFO, nullptr), CURLE_OK);
   CHECK_EQ(curl_easy_setopt(
                curl_handle_, CURLOPT_CAPATH, constants::kCACertificatesPath),
            CURLE_OK);