Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 907b4fa4009e5221f7b5f13cc03d9382e693c0c2^! / . / omaha_response_handler_action.cc
commit907b4fa4009e5221f7b5f13cc03d9382e693c0c2[log] [tgz]
authorDavid Pursell <dpursell@chromium.org>Tue Jan 27 10:27:38 2015 -0800
committerChromeOS Commit Bot <chromeos-commit-bot@chromium.org>Wed Jan 28 21:51:09 2015 +0000
tree56db71a79da4be924852580c914bb26cee764ce1
parent1ac8b59d7896d667c3eb5f7421761ddc87e819ce [diff] [blame]
update_engine: Don't require hashes for non-official builds.

CL 228293 changed hash check logic such that hashes are always required
for official update URLs, on the assumption that they will always be
available.

This turns out to cause problems for situations like the referenced bug,
where the devserver counts as an official URL but isn't providing
hashes. This CL waives the hash check requirement for non-official
(dev/test) builds.

BUG=chromium:452139
TEST=cros_run_unit_tests --board=panther --packages=update_engine

Change-Id: I0a48bfe216a8afdff27e06baa24b3d37e7517b25
Reviewed-on: https://chromium-review.googlesource.com/243730
Trybot-Ready: David Pursell <dpursell@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: David Pursell <dpursell@chromium.org>
Tested-by: David Pursell <dpursell@chromium.org>

diff --git a/omaha_response_handler_action.cc b/omaha_response_handler_action.cc
index 8458db2..9f240fb 100644
--- a/omaha_response_handler_action.cc
+++ b/omaha_response_handler_action.cc

@@ -133,11 +133,21 @@
 
 bool OmahaResponseHandlerAction::AreHashChecksMandatory(
     const OmahaResponse& response) {
-  // All our internal testing uses dev server which doesn't generate
-  // metadata signatures by default, so we should waive hash checks for
-  // unofficial URLs. dbus_service.cc does the security enforcement by not
-  // allowing unofficial update URLs though except in specific cases.
-  if (!system_state_->request_params()->IsUpdateUrlOfficial()) {
+  // We sometimes need to waive the hash checks in order to download from
+  // sources that don't provide hashes, such as dev server.
+  // At this point UpdateAttempter::IsAnyUpdateSourceAllowed() has already been
+  // checked, so an unofficial update URL won't get this far unless it's OK to
+  // use without a hash. Additionally, we want to always waive hash checks on
+  // unofficial builds (i.e. dev/test images).
+  // The end result is this:
+  //  * Base image:
+  //    - Official URLs require a hash.
+  //    - Unofficial URLs only get this far if the IsAnyUpdateSourceAllowed()
+  //      devmode/debugd checks pass, in which case the hash is waived.
+  //  * Dev/test image:
+  //    - Any URL is allowed through with no hash checking.
+  if (!system_state_->request_params()->IsUpdateUrlOfficial() ||
+      !system_state_->hardware()->IsOfficialBuild()) {
     // Still do a hash check if a public key is included.
     if (!response.public_key_rsa.empty()) {
       // The autoupdate_CatchBadSignatures test checks for this string