jpouellet/openbsd-next.sh

## openbsd-next.sh
#/usr/bin/env -i /bin/ksh

set -e

d=$(mktemp -d)
installurl=$(cat /etc/installurl)
ver=snapshots # uname -r
arch=$(machine)
baseurl="$installurl/$ver/$arch"

elide0() {
	local not=$1
	shift
	for x in "$@"; do
		if [ X"$not" != X"$x" ]; then
			printf "%s\0" "$x"
		fi
	done
}

fetch() (
	cd "$d"
	for f in BUILDINFO SHA256.sig "$@"; do
		[ -e "$d/$f" ] || ftp -- "$baseurl/$f"
	done
)

verify() (
	local xx="$1" key
	shift
	cd "$d"
	while true; do
		key="/etc/signify/openbsd-${xx}-base.pub"
		[ -r "$key" ] || break
		echo "checking with $key"
		if elide0 SHA256.sig "$@" | xargs -0 signify -C -p "$key" -x SHA256.sig BUILDINFO; then
			# all verified OK
			return 0
		else
			# error, try next key
			xx=$((xx + 1))
			continue
		fi
	done

	# no keys could verify
	echo "unable to verify" >&2
	exit 1
)

time_from_buildinfo() {
	awk '{print $3}' "$1"
}

newer_than() {
	test "$(time_from_buildinfo "$d"/BUILDINFO)" -ge 0"$1"
}

check_downgrade_boottime() {
	if ! newer_than "$(sysctl -n kern.boottime)"; then
		echo "build older than last boot time. downgrade attack?" >&2
		exit 1
	fi
}

check_downgrade_buildinfo() {
	if ! newer_than "$(time_from_buildinfo BUILDINFO)"; then
		echo "new BUILDINFO older than local BUILDINFO. downgrade attack?" >&2
		exit 1
	fi
}

info() {
	cat "$d/BUILDINFO"
}

extract() {
	for f in "$@"; do cp "$d/$f" .; done
}

install_kernel() {
	doas cp "$d/bsd.rd" "/bsd.rd.next"
	echo -ne "running:      "; sysctl -n kern.version | grep -v ^$
	echo -ne "/bsd.rd.next: "; config -o /dev/null -e /bsd.rd.next </dev/null 2>&0 | grep -E '^(OpenBSD|    )'
}

fetch "$@"

xx=$(uname -r | tr -dc 0-9)
verify "$xx" "$@"

#check_downgrade_boottime
[ -e BUILDINFO ] && check_downgrade_buildinfo
info

extract "$@"

case "$@" in
*bsd.rd*) install_kernel;;
esac

# cleanup
rm -r "$d"
	#/usr/bin/env -i /bin/ksh

	set -e

	d=$(mktemp -d)
	installurl=$(cat /etc/installurl)
	ver=snapshots # uname -r
	arch=$(machine)
	baseurl="$installurl/$ver/$arch"

	elide0() {
	local not=$1
	shift
	for x in "$@"; do
	if [ X"$not" != X"$x" ]; then
	printf "%s\0" "$x"
	fi
	done
	}

	fetch() (
	cd "$d"
	for f in BUILDINFO SHA256.sig "$@"; do
	[ -e "$d/$f" ] \|\| ftp -- "$baseurl/$f"
	done
	)

	verify() (
	local xx="$1" key
	shift
	cd "$d"
	while true; do
	key="/etc/signify/openbsd-${xx}-base.pub"
	[ -r "$key" ] \|\| break
	echo "checking with $key"
	if elide0 SHA256.sig "$@" \| xargs -0 signify -C -p "$key" -x SHA256.sig BUILDINFO; then
	# all verified OK
	return 0
	else
	# error, try next key
	xx=$((xx + 1))
	continue
	fi
	done

	# no keys could verify
	echo "unable to verify" >&2
	exit 1
	)

	time_from_buildinfo() {
	awk '{print $3}' "$1"
	}

	newer_than() {
	test "$(time_from_buildinfo "$d"/BUILDINFO)" -ge 0"$1"
	}

	check_downgrade_boottime() {
	if ! newer_than "$(sysctl -n kern.boottime)"; then
	echo "build older than last boot time. downgrade attack?" >&2
	exit 1
	fi
	}

	check_downgrade_buildinfo() {
	if ! newer_than "$(time_from_buildinfo BUILDINFO)"; then
	echo "new BUILDINFO older than local BUILDINFO. downgrade attack?" >&2
	exit 1
	fi
	}

	info() {
	cat "$d/BUILDINFO"
	}

	extract() {
	for f in "$@"; do cp "$d/$f" .; done
	}

	install_kernel() {
	doas cp "$d/bsd.rd" "/bsd.rd.next"
	echo -ne "running: "; sysctl -n kern.version \| grep -v ^$
	echo -ne "/bsd.rd.next: "; config -o /dev/null -e /bsd.rd.next </dev/null 2>&0 \| grep -E '^(OpenBSD\| )'
	}

	fetch "$@"

	xx=$(uname -r \| tr -dc 0-9)
	verify "$xx" "$@"

	#check_downgrade_boottime
	[ -e BUILDINFO ] && check_downgrade_buildinfo
	info

	extract "$@"

	case "$@" in
	bsd.rd) install_kernel;;
	esac

	# cleanup
	rm -r "$d"