[fix] Verify downloaded tarball with configuration checksum #158

Closes #158 Co-authored-by: Federico Capoano <[email protected]>
openwisp · Dec 15, 2021 · 90346b4 · 90346b4
1 parent c1dc482
commit 90346b4
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/openwisp-config/files/openwisp.agent b/openwisp-config/files/openwisp.agent
@@ -557,9 +557,23 @@ update_configuration() {
 		logger -s "Failed to connect to controller while downloading new config: curl exit code $exit_code" \
 		       -t openwisp \
 		       -p daemon.err
+		# remove the checksum to ensure update is tried again at the next run
+		rm -f $CONFIGURATION_CHECKSUM
 		return 3
 	fi
 
+	local LOCAL_CHECKSUM=$(md5sum $CONFIGURATION_ARCHIVE | cut -d ' ' -f 1)
+	local REMOTE_CHECKSUM=$(tail -n 1 $CONFIGURATION_CHECKSUM 2> /dev/null)
+
+	if [ "$LOCAL_CHECKSUM" != "$REMOTE_CHECKSUM" ]; then
+		logger -s "Failed to download configuration: checksum mismatch" \
+		       -t openwisp \
+		       -p daemon.err
+		# remove the checksum to ensure update is tried again at the next run
+		rm -f $CONFIGURATION_CHECKSUM
+		return 4
+	fi
+
 	logger "Configuration downloaded, now applying it..." \
 		   -t openwisp \
 		   -p daemon.info