=================================================================== RCS file: /cvs/openbsd/fw_update/fw_install.sh,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- openbsd/fw_update/fw_install.sh 2021/10/14 03:00:02 1.7 +++ openbsd/fw_update/fw_install.sh 2021/10/16 19:31:13 1.8 @@ -13,8 +13,18 @@ done } -# do_as, unpriv, and unpriv2 are from install.sub +# tmpdir, do_as, unpriv, and unpriv2 are from install.sub +# Create a temporary directory based on the supplied directory name prefix. +tmpdir() { + local _i=1 _dir + + until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do + ((++_i < 10000)) || return 1 + done + echo "$_dir" +} + # Run a command ($2+) as unprivileged user ($1). # Take extra care that after "cmd" no "user" processes exist. # @@ -60,6 +70,12 @@ do_as _file "$@" } +_issue= +fail() { + echo $_issue >&2 + exit 1 +} + VNAME=$(sysctl -n kern.osrelease) VERSION="${VNAME%.*}${VNAME#*.}" FWDIR="$VNAME" @@ -92,43 +108,70 @@ exit 0 fi -tmpdir=${DESTDIR}/tmp/fw_update -[ -e "$tmpdir" ] && rm -rf "$tmpdir" -mkdir -p "$tmpdir" -cd "$tmpdir" +_src=$FWURL +if _tmpsrc=$( tmpdir "${DESTDIR}/tmp/fw_update" ); then + ( + >$_tmpsrc/t && + $_unpriv cat $_tmpsrc/t + ) >/dev/null 2>&1 || + rm -r $_tmpsrc +fi -# TODO: Drop privs during fetch and verify -ftp -D Get -Vm "$FWURL/SHA256.sig" +[[ ! -d $_tmpsrc ]] && + _issue="Cannot create prefetch area" && fail -# Probably should bundle the firmware sigfile on the installer, -# although we can just get it from the recently installed system. -if [ "$DESTDIR" ]; then - sigfile=$( sed -n '/^untrusted comment: verify with \(.*\)$/ { s//\1/p; q; }' SHA256.sig ) - if [ ! -e "/etc/signify/$sigfile" ] \ - && [ -e "${DESTDIR}/etc/signify/$sigfile" ]; then - cp -a "${DESTDIR}/etc/signify/$sigfile" "/etc/signify/$sigfile" - fi -fi +cd "$_tmpsrc" -signify -Ve -x SHA256.sig -m - < SHA256.sig > SHA256 +_t=Get +_cfile="$_tmpsrc/SHA256" +_srclocal=false +! $_unpriv ftp -D "$_t" -Vmo - "$_src/SHA256.sig" >"$_cfile.sig" && + _issue="Cannot fetch SHA256.sig" && fail + +# Verify signature file with public keys. +! unpriv -f "$_cfile" \ + signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" && + _issue="Signature check of SHA256.sig failed" && fail + for d in $drivers; do - firmware=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" SHA256 ) - installed=$( installed_firmware $d ) + _f=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" ) + installed=$( installed_firmware "$d" ) for i in $installed; do - if [ "$firmware" = "$i.tgz" ]; then + if [ "$_f" = "$i.tgz" ]; then echo "Firmware for $d already installed ($installed)" continue 2 fi done - mkdir $d + rm -f /tmp/h /tmp/fail - # TODO: Drop privs during fetch and verify - ftp -D "Get/Verify" -Vmo- "$FWURL/$firmware" | sha256 -bph "$d/h" > "$firmware" - fgrep -qx "SHA256 ($firmware) = $(<$d/h)" SHA256 + _t=Get/Verify + # Fetch firmware file and create a checksum by piping through + # sha256. Create a flag file in case ftp failed. Firmware + # from net is written to the prefetch area. + ( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) | + ( $_srclocal && unpriv2 sha256 -b >/tmp/h || + unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" ) + # Handle failed transfer. + if [[ -f /tmp/fail ]]; then + rm -f "$_tmpsrc/$_f" + _issue="Fetching of $_f failed!" + fail + fi + + # Verify firmware by comparing its checksum with SHA256. + if fgrep -qx "SHA256 ($_f) = $(