From: Lennart Poettering Date: Wed, 5 Nov 2025 16:45:09 +0000 (+0100) Subject: pull-job: optionally store an expected checksum in PullJob object X-Git-Tag: v259-rc1~127^2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f16ab48930b7ce3649bb57cf39facac38341799;p=thirdparty%2Fsystemd.git pull-job: optionally store an expected checksum in PullJob object --- diff --git a/src/import/pull-job.c b/src/import/pull-job.c index 57e9e95939a..98849a104c4 100644 --- a/src/import/pull-job.c +++ b/src/import/pull-job.c @@ -49,6 +49,7 @@ PullJob* pull_job_unref(PullJob *j) { strv_free(j->old_etags); free(j->payload); iovec_done(&j->checksum); + iovec_done(&j->expected_checksum); return mfree(j); } @@ -93,6 +94,7 @@ static int pull_job_restart(PullJob *j, const char *new_url) { j->etag_exists = false; j->mtime = 0; iovec_done(&j->checksum); + iovec_done(&j->expected_checksum); j->expected_content_length = UINT64_MAX; curl_glue_remove_and_free(j->glue, j->curl); @@ -258,6 +260,12 @@ void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) { log_debug("%s of %s is %s.", EVP_MD_CTX_get0_name(j->checksum_ctx), j->url, h); } + + if (iovec_is_set(&j->expected_checksum) && + iovec_memcmp(&j->checksum, &j->expected_checksum) != 0) { + r = log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Checksum of downloaded resource does not match expected checksum, yikes."); + goto finish; + } } /* Do a couple of finishing disk operations, but only if we are the sole owner of the file (i.e. no diff --git a/src/import/pull-job.h b/src/import/pull-job.h index 7437aab01a8..178cb8a30a1 100644 --- a/src/import/pull-job.h +++ b/src/import/pull-job.h @@ -79,6 +79,7 @@ typedef struct PullJob { EVP_MD_CTX *checksum_ctx; struct iovec checksum; + struct iovec expected_checksum; bool sync; bool force_memory;