op public repos

Blob

Date:: Sun Oct 23 00:37:19 2022 UTC
Message:: introduce gotd(8), a Git repository server reachable via ssh(1) This is an initial barebones implementation which provides the absolute minimum of functionality required to serve got(1) and git(1) clients. Basic fetch/send functionality has been tested and seems to work here, but this server is not yet expected to be stable. More testing is welcome. See the man pages for setup instructions. The current design uses one reader and one writer process per repository, which will have to be extended to N readers and N writers in the future. At startup, each process will chroot(2) into its assigned repository. This works because gotd(8) can only be started as root, and will then fork+exec, chroot, and privdrop. At present the parent process runs with the following pledge(2) promises: "stdio rpath wpath cpath proc getpw sendfd recvfd fattr flock unix unveil" The parent is the only process able to modify the repository in a way that becomes visible to Git clients. The parent uses unveil(2) to restrict its view of the filesystem to /tmp and the repositories listed in the configuration file gotd.conf(5). Per-repository chroot(2) processes use "stdio rpath sendfd recvfd". The writer defers to the parent for modifying references in the repository to point at newly uploaded commits. The reader is fine without such help, because Git repositories can be read without having to create any lock-files. gotd(8) requires a dedicated user ID, which should own repositories on the filesystem, and a separate secondary group, which should not have filesystem-level repository access, and must be allowed access to the gotd(8) socket. To obtain Git repository access, users must be members of this secondary group, and must have their login shell set to gotsh(1). gotsh(1) connects to the gotd(8) socket and speaks Git-protocol towards the client on the other end of the SSH connection. gotsh(1) is not an interactive command shell. At present, authenticated clients are granted read/write access to all repositories and all references (except for the "refs/got/" and the "refs/remotes/" namespaces, which are already being protected from modification). While complicated access control mechanism are not a design goal, making it possible to safely offer anonymous Git repository access over ssh(1) is on the road map.
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include <sys/types.h>
18 #include <sys/queue.h>
19 #include <sys/uio.h>
20 
21 #include <errno.h>
22 #include <event.h>
23 #include <poll.h>
24 #include <limits.h>
25 #include <sha1.h>
26 #include <stdio.h>
27 #include <stdint.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <imsg.h>
31 #include <unistd.h>
32 
33 #include "got_error.h"
34 #include "got_serve.h"
35 #include "got_path.h"
36 #include "got_version.h"
37 #include "got_reference.h"
38 
39 #include "got_lib_pkt.h"
40 #include "got_lib_dial.h"
41 #include "got_lib_gitproto.h"
42 #include "got_lib_sha1.h"
43 #include "got_lib_poll.h"
44 
45 #include "gotd.h"
46 
47 #ifndef nitems
48 #define nitems(_a)	(sizeof((_a)) / sizeof((_a)[0]))
49 #endif
50 
51 static const struct got_capability read_capabilities[] = {
52 	{ GOT_CAPA_AGENT, "got/" GOT_VERSION_STR },
53 	{ GOT_CAPA_OFS_DELTA, NULL },
54 	{ GOT_CAPA_SIDE_BAND_64K, NULL },
55 };
56 
57 static const struct got_capability write_capabilities[] = {
58 	{ GOT_CAPA_AGENT, "got/" GOT_VERSION_STR },
59 	{ GOT_CAPA_OFS_DELTA, NULL },
60 	{ GOT_CAPA_REPORT_STATUS, NULL },
61 	{ GOT_CAPA_NO_THIN, NULL },
62 #if 0
63 	{ GOT_CAPA_DELETE_REFS, NULL },
64 #endif
65 };
66 
67 static const struct got_error *
68 parse_command(char **command, char **repo_path, const char *gitcmd)
69 {
70 	const struct got_error *err = NULL;
71 	size_t len, cmdlen, pathlen;
72 	char *path0 = NULL, *path, *abspath = NULL, *canonpath = NULL;
73 	const char *relpath;
74 
75 	*command = NULL;
76 	*repo_path = NULL;
77 
78 	len = strlen(gitcmd);
79 
80 	if (len >= strlen(GOT_SERVE_CMD_SEND) &&
81 	    strncmp(gitcmd, GOT_SERVE_CMD_SEND,
82 	    strlen(GOT_SERVE_CMD_SEND)) == 0)
83 		cmdlen = strlen(GOT_SERVE_CMD_SEND);
84 	else if (len >= strlen(GOT_SERVE_CMD_FETCH) &&
85 	    strncmp(gitcmd, GOT_SERVE_CMD_FETCH,
86 	    strlen(GOT_SERVE_CMD_FETCH)) == 0)
87 		cmdlen = strlen(GOT_SERVE_CMD_FETCH);
88 	else
89 		return got_error(GOT_ERR_BAD_PACKET);
90 
91 	if (len <= cmdlen + 1 || gitcmd[cmdlen] != ' ')
92 		return got_error(GOT_ERR_BAD_PACKET);
93 
94 	if (memchr(&gitcmd[cmdlen + 1], '\0', len - cmdlen) == NULL)
95 		return got_error(GOT_ERR_BAD_PATH);
96 
97 	/* Forbid linefeeds in paths, like Git does. */
98 	if (memchr(&gitcmd[cmdlen + 1], '\n', len - cmdlen) != NULL)
99 		return got_error(GOT_ERR_BAD_PATH);
100 
101 	path0 = strdup(&gitcmd[cmdlen + 1]);
102 	if (path0 == NULL)
103 		return got_error_from_errno("strdup");
104 	path = path0;
105 	pathlen = strlen(path);
106 
107 	/*
108 	 * Git clients send a shell command.
109 	 * Trim spaces and quotes around the path.
110 	 */
111 	while (path[0] == '\'' || path[0] == '\"' || path[0] == ' ') {
112 		path++;
113 		pathlen--;
114 	}
115 	while (pathlen > 0 &&
116 	    (path[pathlen - 1] == '\'' || path[pathlen - 1] == '\"' ||
117 	    path[pathlen - 1] == ' ')) {
118 		path[pathlen - 1] = '\0';
119 		pathlen--;
120 	}
121 
122 	/* Deny an empty repository path. */
123 	if (path[0] == '\0' || got_path_is_root_dir(path)) {
124 		err = got_error(GOT_ERR_NOT_GIT_REPO);
125 		goto done;
126 	}
127 
128 	if (asprintf(&abspath, "/%s", path) == -1) {
129 		err = got_error_from_errno("asprintf");
130 		goto done;
131 	}
132 	pathlen = strlen(abspath);
133 	canonpath = malloc(pathlen);
134 	if (canonpath == NULL) {
135 		err = got_error_from_errno("malloc");
136 		goto done;
137 	}
138 	err = got_canonpath(abspath, canonpath, pathlen);
139 	if (err)
140 		goto done;
141 
142 	relpath = canonpath;
143 	while (relpath[0] == '/')
144 		relpath++;
145 	*repo_path = strdup(relpath);
146 	if (*repo_path == NULL) {
147 		err = got_error_from_errno("strdup");
148 		goto done;
149 	}
150 	*command = strndup(gitcmd, cmdlen);
151 	if (*command == NULL)
152 		err = got_error_from_errno("strndup");
153 done:
154 	free(path0);
155 	free(abspath);
156 	free(canonpath);
157 	if (err) {
158 		free(*repo_path);
159 		*repo_path = NULL;
160 	}
161 	return err;
162 }
163 
164 static const struct got_error *
165 append_read_capabilities(size_t *capalen, size_t len, const char *symrefstr,
166     uint8_t *buf, size_t bufsize)
167 {
168 	struct got_capability capa[nitems(read_capabilities) + 1];
169 	size_t ncapa;
170 
171 	memcpy(&capa, read_capabilities, sizeof(read_capabilities));
172 	if (symrefstr) {
173 		capa[nitems(read_capabilities)].key = "symref";
174 		capa[nitems(read_capabilities)].value = symrefstr;
175 		ncapa = nitems(capa);
176 	} else
177 		ncapa = nitems(read_capabilities);
178 
179 	return got_gitproto_append_capabilities(capalen, buf, len,
180 	    bufsize, capa, ncapa);
181 }
182 
183 static const struct got_error *
184 send_ref(int outfd, uint8_t *id, const char *refname, int send_capabilities,
185     int client_is_reading, const char *symrefstr, int chattygot)
186 {
187 	const struct got_error *err = NULL;
188 	char hex[SHA1_DIGEST_STRING_LENGTH];
189 	char buf[GOT_PKT_MAX];
190 	size_t len, capalen = 0;
191 
192 	if (got_sha1_digest_to_str(id, hex, sizeof(hex)) == NULL) 
193 		return got_error(GOT_ERR_BAD_OBJ_ID);
194 
195 	len = snprintf(buf, sizeof(buf), "%s %s", hex, refname);
196 	if (len >= sizeof(buf))
197 		return got_error(GOT_ERR_NO_SPACE);
198 
199 	if (send_capabilities) {
200 		if (client_is_reading) {
201 			err = append_read_capabilities(&capalen, len,
202 			    symrefstr, buf, sizeof(buf));
203 		} else {
204 			err = got_gitproto_append_capabilities(&capalen,
205 			    buf, len, sizeof(buf), write_capabilities,
206 			    nitems(write_capabilities));
207 		}
208 		if (err)
209 			return err;
210 		len += capalen;
211 	}
212 
213 	if (len + 1 >= sizeof(buf))
214 		return got_error(GOT_ERR_NO_SPACE);
215 	buf[len] = '\n';
216 	len++;
217 	buf[len] = '\0';
218 
219 	return got_pkt_writepkt(outfd, buf, len, chattygot);
220 }
221 
222 static const struct got_error *
223 send_zero_refs(int outfd, int chattygot)
224 {
225 	const struct got_error *err = NULL;
226 	char buf[GOT_PKT_MAX];
227 	uint8_t zero[SHA1_DIGEST_LENGTH];
228 	char hex[SHA1_DIGEST_STRING_LENGTH];
229 	size_t len, capalen = 0;
230 
231 	memset(&zero, 0, sizeof(zero));
232 
233 	if (got_sha1_digest_to_str(zero, hex, sizeof(hex)) == NULL) 
234 		return got_error(GOT_ERR_BAD_OBJ_ID);
235 
236 	len = snprintf(buf, sizeof(buf), "%s capabilities^{}", hex);
237 	if (len >= sizeof(buf))
238 		return got_error(GOT_ERR_NO_SPACE);
239 
240 	err = got_gitproto_append_capabilities(&capalen, buf, len,
241 	    sizeof(buf), read_capabilities, nitems(read_capabilities));
242 	if (err)
243 		return err;
244 
245 	return got_pkt_writepkt(outfd, buf, len, chattygot);
246 }
247 
248 static void
249 echo_error(const struct got_error *err, int outfd, int chattygot)
250 {
251 	char buf[4 + GOT_ERR_MAX_MSG_SIZE];
252 	size_t len;
253 
254 	/*
255 	 * Echo the error to the client on a pkt-line.
256 	 * The client should then terminate its session.
257 	 */
258 	buf[0] = 'E'; buf[1] = 'R'; buf[2] = 'R'; buf[3] = ' '; buf[4] = '\0';
259 	len = strlcat(buf, err->msg, sizeof(buf));
260 	err = got_pkt_writepkt(outfd, buf, len, chattygot);
261 	abort();
262 }
263 
264 static const struct got_error *
265 announce_refs(int outfd, struct imsgbuf *ibuf, int client_is_reading,
266     const char *repo_path, int chattygot)
267 {
268 	const struct got_error *err = NULL;
269 	struct imsg imsg;
270 	size_t datalen;
271 	struct gotd_imsg_list_refs lsref;
272 	struct gotd_imsg_reflist ireflist;
273 	struct gotd_imsg_ref iref;
274 	struct gotd_imsg_symref isymref;
275 	size_t nrefs = 0;
276 	int have_nrefs = 0, sent_capabilities = 0;
277 	char *symrefname = NULL, *symreftarget = NULL, *symrefstr = NULL;
278 	char *refname = NULL;
279 
280 	memset(&imsg, 0, sizeof(imsg));
281 	memset(&lsref, 0, sizeof(lsref));
282 
283 	if (strlcpy(lsref.repo_name, repo_path, sizeof(lsref.repo_name)) >=
284 	    sizeof(lsref.repo_name))
285 		return got_error(GOT_ERR_NO_SPACE);
286 	lsref.client_is_reading = client_is_reading;
287 	
288 	if (imsg_compose(ibuf, GOTD_IMSG_LIST_REFS, 0, 0, -1,
289 	    &lsref, sizeof(lsref)) == -1)
290 		return got_error_from_errno("imsg_compose LIST_REFS");
291 
292 	err = gotd_imsg_flush(ibuf);
293 	if (err)
294 		return err;
295 
296 	while (!have_nrefs || nrefs > 0) {
297 		err = gotd_imsg_poll_recv(&imsg, ibuf, 0);
298 		if (err)
299 			goto done;
300 		datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
301 		switch (imsg.hdr.type) {
302 		case GOTD_IMSG_ERROR:
303 			err = gotd_imsg_recv_error(NULL, &imsg);
304 			goto done;
305 		case GOTD_IMSG_REFLIST:
306 			if (have_nrefs || nrefs > 0) {
307 				err = got_error(GOT_ERR_PRIVSEP_MSG);
308 				goto done;
309 			}
310 			if (datalen != sizeof(ireflist)) {
311 				err = got_error(GOT_ERR_PRIVSEP_MSG);
312 				goto done;
313 			}
314 			memcpy(&ireflist, imsg.data, sizeof(ireflist));
315 			nrefs = ireflist.nrefs;
316 			have_nrefs = 1;
317 			if (nrefs == 0)
318 				err = send_zero_refs(outfd, chattygot);
319 			break;
320 		case GOTD_IMSG_REF:
321 			if (!have_nrefs || nrefs == 0) {
322 				err = got_error(GOT_ERR_PRIVSEP_MSG);
323 				goto done;
324 			}
325 			if (datalen < sizeof(iref)) {
326 				err = got_error(GOT_ERR_PRIVSEP_MSG);
327 				goto done;
328 			}
329 			memcpy(&iref, imsg.data, sizeof(iref));
330 			if (datalen != sizeof(iref) + iref.name_len) {
331 				err = got_error(GOT_ERR_PRIVSEP_LEN);
332 				goto done;
333 			}
334 			refname = malloc(iref.name_len + 1);
335 			if (refname == NULL) {
336 				err = got_error_from_errno("malloc");
337 				goto done;
338 			}
339 			memcpy(refname, imsg.data + sizeof(iref),
340 			    iref.name_len);
341 			refname[iref.name_len] = '\0';
342 			err = send_ref(outfd, iref.id, refname,
343 			    !sent_capabilities, client_is_reading,
344 			    NULL, chattygot);
345 			free(refname);
346 			refname = NULL;
347 			if (err)
348 				goto done;
349 			sent_capabilities = 1;
350 			if (nrefs > 0)
351 				nrefs--;
352 			break;
353 		case GOTD_IMSG_SYMREF:
354 			if (!have_nrefs || nrefs == 0) {
355 				err = got_error(GOT_ERR_PRIVSEP_MSG);
356 				goto done;
357 			}
358 			if (datalen < sizeof(isymref)) {
359 				err = got_error(GOT_ERR_PRIVSEP_LEN);
360 				goto done;
361 			}
362 			memcpy(&isymref, imsg.data, sizeof(isymref));
363 			if (datalen != sizeof(isymref) + isymref.name_len +
364 			    isymref.target_len) {
365 				err = got_error(GOT_ERR_PRIVSEP_LEN);
366 				goto done;
367 			}
368 
369 			/*
370 			 * For now, we only announce one symbolic ref,
371 			 * as part of our capability advertisement.
372 			 */
373 			if (sent_capabilities || symrefstr != NULL ||
374 			    symrefname != NULL || symreftarget != NULL)
375 				break;
376 
377 			symrefname = malloc(isymref.name_len + 1);
378 			if (symrefname == NULL) {
379 				err = got_error_from_errno("malloc");
380 				goto done;
381 			}
382 			memcpy(symrefname, imsg.data + sizeof(isymref),
383 			    isymref.name_len);
384 			symrefname[isymref.name_len] = '\0';
385 
386 			symreftarget = malloc(isymref.target_len + 1);
387 			if (symreftarget == NULL) {
388 				err = got_error_from_errno("malloc");
389 				goto done;
390 			}
391 			memcpy(symreftarget,
392 			    imsg.data + sizeof(isymref) + isymref.name_len,
393 			    isymref.target_len);
394 			symreftarget[isymref.target_len] = '\0';
395 
396 			if (asprintf(&symrefstr, "%s:%s", symrefname,
397 			    symreftarget) == -1) {
398 				err = got_error_from_errno("asprintf");
399 				goto done;
400 			}
401 			err = send_ref(outfd, isymref.target_id, symrefname,
402 			    !sent_capabilities, client_is_reading, symrefstr,
403 			    chattygot);
404 			free(refname);
405 			refname = NULL;
406 			if (err)
407 				goto done;
408 			sent_capabilities = 1;
409 			if (nrefs > 0)
410 				nrefs--;
411 			break;
412 		default:
413 			err = got_error(GOT_ERR_PRIVSEP_MSG);
414 			break;
415 		}
416 
417 		imsg_free(&imsg);
418 	}
419 
420 	err = got_pkt_flushpkt(outfd, chattygot);
421 	if (err)
422 		goto done;
423 done:
424 	free(symrefstr);
425 	free(symrefname);
426 	free(symreftarget);
427 	return err;
428 }
429 
430 static const struct got_error *
431 parse_want_line(char **common_capabilities, uint8_t *id, char *buf, size_t len)
432 {
433 	const struct got_error *err;
434 	char *id_str = NULL, *client_capabilities = NULL;
435 
436 	err = got_gitproto_parse_want_line(&id_str,
437 	    &client_capabilities, buf, len);
438 	if (err)
439 		return err;
440 
441 	if (!got_parse_sha1_digest(id, id_str)) {
442 		err = got_error_msg(GOT_ERR_BAD_PACKET,
443 		    "want-line with bad object ID");
444 		goto done;
445 	}
446 
447 	if (client_capabilities) {
448 		err = got_gitproto_match_capabilities(common_capabilities,
449 		    NULL, client_capabilities, read_capabilities,
450 		    nitems(read_capabilities));
451 		if (err)
452 			goto done;
453 	}
454 done:
455 	free(id_str);
456 	free(client_capabilities);
457 	return err;
458 }
459 
460 static const struct got_error *
461 parse_have_line(uint8_t *id, char *buf, size_t len)
462 {
463 	const struct got_error *err;
464 	char *id_str = NULL;
465 
466 	err = got_gitproto_parse_have_line(&id_str, buf, len);
467 	if (err)
468 		return err;
469 
470 	if (!got_parse_sha1_digest(id, id_str)) {
471 		err = got_error_msg(GOT_ERR_BAD_PACKET,
472 		    "have-line with bad object ID");
473 		goto done;
474 	}
475 done:
476 	free(id_str);
477 	return err;
478 }
479 
480 static const struct got_error *
481 send_capability(struct got_capability *capa, struct imsgbuf *ibuf)
482 {
483 	const struct got_error *err = NULL;
484 	struct gotd_imsg_capability icapa;
485 	size_t len;
486 	struct ibuf *wbuf;
487 
488 	memset(&icapa, 0, sizeof(icapa));
489 
490 	icapa.key_len = strlen(capa->key);
491 	len = sizeof(icapa) + icapa.key_len;
492 	if (capa->value) {
493 		icapa.value_len = strlen(capa->value);
494 		len += icapa.value_len;
495 	}
496 
497 	wbuf = imsg_create(ibuf, GOTD_IMSG_CAPABILITY, 0, 0, len);
498 	if (wbuf == NULL) {
499 		err = got_error_from_errno("imsg_create CAPABILITY");
500 		return err;
501 	}
502 
503 	if (imsg_add(wbuf, &icapa, sizeof(icapa)) == -1)
504 		return got_error_from_errno("imsg_add CAPABILITY");
505 	if (imsg_add(wbuf, capa->key, icapa.key_len) == -1)
506 		return got_error_from_errno("imsg_add CAPABILITY");
507 	if (capa->value) {
508 		if (imsg_add(wbuf, capa->value, icapa.value_len) == -1)
509 			return got_error_from_errno("imsg_add CAPABILITY");
510 	}
511 
512 	wbuf->fd = -1;
513 	imsg_close(ibuf, wbuf);
514 
515 	return NULL;
516 }
517 
518 static const struct got_error *
519 send_capabilities(int *use_sidebands, int *report_status,
520     char *capabilities_str, struct imsgbuf *ibuf)
521 {
522 	const struct got_error *err = NULL;
523 	struct gotd_imsg_capabilities icapas;
524 	struct got_capability *capa = NULL;
525 	size_t ncapa, i;
526 
527 	err = got_gitproto_split_capabilities_str(&capa, &ncapa,
528 	    capabilities_str);
529 	if (err)
530 		return err;
531 
532 	icapas.ncapabilities = ncapa;
533 	if (imsg_compose(ibuf, GOTD_IMSG_CAPABILITIES, 0, 0, -1,
534 	    &icapas, sizeof(icapas)) == -1) {
535 		err = got_error_from_errno("imsg_compose IMSG_CAPABILITIES");
536 		goto done;
537 	}
538 
539 	for (i = 0; i < ncapa; i++) {
540 		err = send_capability(&capa[i], ibuf);
541 		if (err)
542 			goto done;
543 		if (use_sidebands &&
544 		    strcmp(capa[i].key, GOT_CAPA_SIDE_BAND_64K) == 0)
545 			*use_sidebands = 1;
546 		if (report_status &&
547 		    strcmp(capa[i].key, GOT_CAPA_REPORT_STATUS) == 0)
548 			*report_status = 1;
549 	}
550 done:
551 	free(capa);
552 	return err;
553 }
554 
555 static const struct got_error *
556 forward_flushpkt(struct imsgbuf *ibuf)
557 {
558 	if (imsg_compose(ibuf, GOTD_IMSG_FLUSH, 0, 0, -1, NULL, 0) == -1)
559 		return got_error_from_errno("imsg_compose FLUSH");
560 
561 	return gotd_imsg_flush(ibuf);
562 }
563 
564 static const struct got_error *
565 recv_ack(struct imsg *imsg, uint8_t *expected_id)
566 {
567 	struct gotd_imsg_ack iack;
568 	size_t datalen;
569 
570 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
571 	if (datalen != sizeof(iack))
572 		return got_error(GOT_ERR_PRIVSEP_LEN);
573 
574 	memcpy(&iack, imsg->data, sizeof(iack));
575 	if (memcmp(iack.object_id, expected_id, SHA1_DIGEST_LENGTH) != 0)
576 		return got_error(GOT_ERR_BAD_OBJ_ID);
577 
578 	return NULL;
579 }
580 
581 static const struct got_error *
582 recv_nak(struct imsg *imsg, uint8_t *expected_id)
583 {
584 	struct gotd_imsg_ack inak;
585 	size_t datalen;
586 
587 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
588 	if (datalen != sizeof(inak))
589 		return got_error(GOT_ERR_PRIVSEP_LEN);
590 
591 	memcpy(&inak, imsg->data, sizeof(inak));
592 	if (memcmp(inak.object_id, expected_id, SHA1_DIGEST_LENGTH) != 0)
593 		return got_error(GOT_ERR_BAD_OBJ_ID);
594 
595 	return NULL;
596 }
597 
598 
599 static const struct got_error *
600 recv_want(int *use_sidebands, int outfd, struct imsgbuf *ibuf,
601     char *buf, size_t len, int expect_capabilities, int chattygot)
602 {
603 	const struct got_error *err;
604 	struct gotd_imsg_want iwant;
605 	char *capabilities_str;
606 	int done = 0;
607 	struct imsg imsg;
608 
609 	memset(&iwant, 0, sizeof(iwant));
610 	memset(&imsg, 0, sizeof(imsg));
611 
612 	err = parse_want_line(&capabilities_str, iwant.object_id, buf, len);
613 	if (err)
614 		return err;
615 
616 	if (capabilities_str) {
617 		if (!expect_capabilities) {
618 			err = got_error_msg(GOT_ERR_BAD_PACKET,
619 			    "unexpected capability announcement received");
620 			goto done;
621 		}
622 		err = send_capabilities(use_sidebands, NULL, capabilities_str,
623 		    ibuf);
624 		if (err)
625 			goto done;
626 
627 	}
628 
629 	if (imsg_compose(ibuf, GOTD_IMSG_WANT, 0, 0, -1,
630 	    &iwant, sizeof(iwant)) == -1) {
631 		err = got_error_from_errno("imsg_compose WANT");
632 		goto done;
633 	}
634 
635 	err = gotd_imsg_flush(ibuf);
636 	if (err)
637 		goto done;
638 
639 	/*
640 	 * Wait for an ACK, or an error in case the desired object
641 	 * does not exist.
642 	 */
643 	while (!done && err == NULL) {
644 		err = gotd_imsg_poll_recv(&imsg, ibuf, 0);
645 		if (err)
646 			break;
647 		switch (imsg.hdr.type) {
648 		case GOTD_IMSG_ERROR:
649 			err = gotd_imsg_recv_error(NULL, &imsg);
650 			break;
651 		case GOTD_IMSG_ACK:
652 			err = recv_ack(&imsg, iwant.object_id);
653 			if (err)
654 				break;
655 			done = 1;
656 			break;
657 		default:
658 			err = got_error(GOT_ERR_PRIVSEP_MSG);
659 			break;
660 		}
661 
662 		imsg_free(&imsg);
663 	}
664 done:
665 	free(capabilities_str);
666 	return err;
667 }
668 
669 static const struct got_error *
670 send_ack(int outfd, uint8_t *id, int chattygot)
671 {
672 	char hex[SHA1_DIGEST_STRING_LENGTH];
673 	char buf[GOT_PKT_MAX];
674 	int len;
675 
676 	if (got_sha1_digest_to_str(id, hex, sizeof(hex)) == NULL) 
677 		return got_error(GOT_ERR_BAD_OBJ_ID);
678 
679 	len = snprintf(buf, sizeof(buf), "ACK %s\n", hex);
680 	if (len >= sizeof(buf))
681 		return got_error(GOT_ERR_NO_SPACE);
682 
683 	return got_pkt_writepkt(outfd, buf, len, chattygot);
684 }
685 
686 static const struct got_error *
687 send_nak(int outfd, int chattygot)
688 {
689 	char buf[5];
690 	int len;
691 
692 	len = snprintf(buf, sizeof(buf), "NAK\n");
693 	if (len >= sizeof(buf))
694 		return got_error(GOT_ERR_NO_SPACE);
695 
696 	return got_pkt_writepkt(outfd, buf, len, chattygot);
697 }
698 
699 static const struct got_error *
700 recv_have(int *have_ack, int outfd, struct imsgbuf *ibuf, char *buf,
701     size_t len, int chattygot)
702 {
703 	const struct got_error *err;
704 	struct gotd_imsg_have ihave;
705 	int done = 0;
706 	struct imsg imsg;
707 
708 	memset(&ihave, 0, sizeof(ihave));
709 	memset(&imsg, 0, sizeof(imsg));
710 
711 	err = parse_have_line(ihave.object_id, buf, len);
712 	if (err)
713 		return err;
714 
715 	if (imsg_compose(ibuf, GOTD_IMSG_HAVE, 0, 0, -1,
716 	    &ihave, sizeof(ihave)) == -1)
717 		return got_error_from_errno("imsg_compose HAVE");
718 
719 	err = gotd_imsg_flush(ibuf);
720 	if (err)
721 		return err;
722 
723 	/*
724 	 * Wait for an ACK or a NAK, indicating whether a common
725 	 * commit object has been found.
726 	 */
727 	while (!done && err == NULL) {
728 		err = gotd_imsg_poll_recv(&imsg, ibuf, 0);
729 		if (err)
730 			return err;
731 		switch (imsg.hdr.type) {
732 		case GOTD_IMSG_ERROR:
733 			err = gotd_imsg_recv_error(NULL, &imsg);
734 			break;
735 		case GOTD_IMSG_ACK:
736 			err = recv_ack(&imsg, ihave.object_id);
737 			if (err)
738 				break;
739 			if (!*have_ack) {
740 				err = send_ack(outfd, ihave.object_id,
741 				    chattygot);
742 				if (err)
743 					return err;
744 				*have_ack = 1;
745 			}
746 			done = 1;
747 			break;
748 		case GOTD_IMSG_NAK:
749 			err = recv_nak(&imsg, ihave.object_id);
750 			if (err)
751 				break;
752 			done = 1;
753 			break;
754 		default:
755 			err = got_error(GOT_ERR_PRIVSEP_MSG);
756 			break;
757 		}
758 
759 		imsg_free(&imsg);
760 	}
761 
762 	return err;
763 }
764 
765 static const struct got_error *
766 recv_done(int *packfd, int outfd, struct imsgbuf *ibuf, int chattygot)
767 {
768 	const struct got_error *err;
769 	struct imsg imsg;
770 
771 	*packfd = -1;
772 
773 	if (imsg_compose(ibuf, GOTD_IMSG_DONE, 0, 0, -1, NULL, 0) == -1)
774 		return got_error_from_errno("imsg_compose DONE");
775 
776 	err = gotd_imsg_flush(ibuf);
777 	if (err)
778 		return err;
779 
780 	err = gotd_imsg_poll_recv(&imsg, ibuf, 0);
781 	if (err)
782 		return err;
783 
784 	if (imsg.hdr.type == GOTD_IMSG_ERROR)
785 		err = gotd_imsg_recv_error(NULL, &imsg);
786 	else if (imsg.hdr.type != GOTD_IMSG_PACKFILE_PIPE)
787 		err = got_error(GOT_ERR_PRIVSEP_MSG);
788 	else if (imsg.fd == -1)
789 		err = got_error(GOT_ERR_PRIVSEP_NO_FD);
790 	if (err == NULL)
791 		*packfd = imsg.fd;
792 
793 	imsg_free(&imsg);
794 	return err;
795 }
796 
797 static const struct got_error *
798 relay_progress_reports(struct imsgbuf *ibuf, int outfd, int chattygot)
799 {
800 	const struct got_error *err = NULL;
801 	int pack_starting = 0;
802 	struct gotd_imsg_packfile_progress iprog;
803 	char buf[GOT_PKT_MAX];
804 	struct imsg imsg;
805 	size_t datalen;
806 	int p_deltify = 0, n;
807 	const char *eol = "\r";
808 
809 	memset(&imsg, 0, sizeof(imsg));
810 
811 	while (!pack_starting && err == NULL) {
812 		err = gotd_imsg_poll_recv(&imsg, ibuf, 0);
813 		if (err)
814 			break;
815 
816 		datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
817 		switch (imsg.hdr.type) {
818 		case GOTD_IMSG_ERROR:
819 			err = gotd_imsg_recv_error(NULL, &imsg);
820 			break;
821 		case GOTD_IMSG_PACKFILE_READY:
822 			eol = "\n";
823 			pack_starting = 1;
824 			/* fallthrough */
825 		case GOTD_IMSG_PACKFILE_PROGRESS:
826 			if (datalen != sizeof(iprog)) {
827 				err = got_error(GOT_ERR_PRIVSEP_LEN);
828 				break;
829 			}
830 			memcpy(&iprog, imsg.data, sizeof(iprog));
831 			if (iprog.nobj_total > 0) {
832 				p_deltify = (iprog.nobj_deltify * 100) /
833 				    iprog.nobj_total;
834 			}
835 			buf[0] = GOT_SIDEBAND_PROGRESS_INFO;
836 			n = snprintf(&buf[1], sizeof(buf) - 1,
837 			    "%d commits colored, "
838 			    "%d objects found, "
839 			    "deltify %d%%%s",
840 			    iprog.ncolored, 
841 			    iprog.nfound, 
842 			    p_deltify, eol);
843 			if (n >= sizeof(buf) - 1)
844 				break;
845 			err = got_pkt_writepkt(outfd, buf, 1 + n, chattygot);
846 			break;
847 		default:
848 			err = got_error(GOT_ERR_PRIVSEP_MSG);
849 			break;
850 		}
851 
852 		imsg_free(&imsg);
853 	}
854 
855 	return err;
856 }
857 
858 static const struct got_error *
859 serve_read(int infd, int outfd, int gotd_sock, const char *repo_path,
860     int chattygot)
861 {
862 	const struct got_error *err = NULL;
863 	char buf[GOT_PKT_MAX];
864 	struct imsgbuf ibuf;
865 	enum protostate {
866 		STATE_EXPECT_WANT,
867 		STATE_EXPECT_MORE_WANT,
868 		STATE_EXPECT_HAVE,
869 		STATE_EXPECT_DONE,
870 		STATE_DONE,
871 	};
872 	enum protostate curstate = STATE_EXPECT_WANT;
873 	int have_ack = 0, use_sidebands = 0, seen_have = 0;
874 	int packfd = -1;
875 	size_t pack_chunksize;
876 
877 	imsg_init(&ibuf, gotd_sock);
878 
879 	err = announce_refs(outfd, &ibuf, 1, repo_path, chattygot);
880 	if (err)
881 		goto done;
882 
883 	while (curstate != STATE_DONE) {
884 		int n;
885 		buf[0] = '\0';
886 		err = got_pkt_readpkt(&n, infd, buf, sizeof(buf), chattygot);
887 		if (err)
888 			break;
889 		if (n == 0) {
890 			if (curstate != STATE_EXPECT_MORE_WANT &&
891 			    curstate != STATE_EXPECT_HAVE) {
892 				err = got_error_msg(GOT_ERR_BAD_PACKET,
893 				    "unexpected flush packet received");
894 				goto done;
895 			}
896 			err = forward_flushpkt(&ibuf);
897 			if (err)
898 				goto done;
899 			if (curstate == STATE_EXPECT_HAVE && !have_ack) {
900 				err = send_nak(outfd, chattygot);
901 				if (err)
902 					goto done;
903 			}
904 			if (curstate == STATE_EXPECT_MORE_WANT)
905 				curstate = STATE_EXPECT_HAVE;
906 			else
907 				curstate = STATE_EXPECT_DONE;
908 		} else if (n >= 5 && strncmp(buf, "want ", 5) == 0) {
909 			if (curstate != STATE_EXPECT_WANT &&
910 			    curstate != STATE_EXPECT_MORE_WANT) {
911 				err = got_error_msg(GOT_ERR_BAD_PACKET,
912 				    "unexpected 'want' packet");
913 				goto done;
914 			}
915 			err = recv_want(&use_sidebands, outfd, &ibuf, buf, n,
916 			    curstate == STATE_EXPECT_WANT ? 1 : 0, chattygot);
917 			if (err)
918 				goto done;
919 			if (curstate == STATE_EXPECT_WANT)
920 				curstate = STATE_EXPECT_MORE_WANT;
921 		} else if (n >= 5 && strncmp(buf, "have ", 5) == 0) {
922 			if (curstate != STATE_EXPECT_HAVE) {
923 				err = got_error_msg(GOT_ERR_BAD_PACKET,
924 				    "unexpected 'have' packet");
925 				goto done;
926 			}
927 			err = recv_have(&have_ack, outfd, &ibuf, buf, n,
928 			    chattygot);
929 			if (err)
930 				goto done;
931 			seen_have = 1;
932 		} else if (n == 5 && strncmp(buf, "done\n", 5) == 0) {
933 			if (curstate != STATE_EXPECT_HAVE &&
934 			    curstate != STATE_EXPECT_DONE) {
935 				err = got_error_msg(GOT_ERR_BAD_PACKET,
936 				    "unexpected 'done' packet");
937 				goto done;
938 			}
939 			err = recv_done(&packfd, outfd, &ibuf, chattygot);
940 			if (err)
941 				goto done;
942 			curstate = STATE_DONE;
943 			break;
944 		} else {
945 			err = got_error(GOT_ERR_BAD_PACKET);
946 			goto done;
947 		}
948 	}
949 
950 	if (!seen_have) {
951 		err = send_nak(outfd, chattygot);
952 		if (err)
953 			goto done;
954 	}
955 
956 	if (use_sidebands) {
957 		err = relay_progress_reports(&ibuf, outfd, chattygot);
958 		if (err)
959 			goto done;
960 		pack_chunksize = GOT_SIDEBAND_64K_PACKFILE_DATA_MAX;
961 	} else
962 		pack_chunksize = sizeof(buf);
963 
964 	for (;;) {
965 		ssize_t r, w;
966 
967 		r = read(packfd, use_sidebands ? &buf[1] : buf,
968 		    pack_chunksize);
969 		if (r == -1) {
970 			err = got_error_from_errno("read");
971 			break;
972 		} else if (r == 0) {
973 			err = got_pkt_flushpkt(outfd, chattygot);
974 			break;
975 		}
976 
977 		if (use_sidebands) {
978 			buf[0] = GOT_SIDEBAND_PACKFILE_DATA;
979 			err = got_pkt_writepkt(outfd, buf, 1 + r, chattygot);
980 			if (err)
981 				break;
982 		} else {
983 			w = write(outfd, buf, r);
984 			if (w == -1) {
985 				err = got_error_from_errno("write");
986 				break;
987 			} else if (w != r) {
988 				err = got_error(GOT_ERR_IO);
989 				break;
990 			}
991 		}
992 	}
993 done:
994 	imsg_clear(&ibuf);
995 	if (packfd != -1 && close(packfd) == -1 && err == NULL)
996 		err = got_error_from_errno("close");
997 	if (err)
998 		echo_error(err, outfd, chattygot);
999 	return err;
1000 }
1001 
1002 static const struct got_error *
1003 parse_ref_update_line(char **common_capabilities, char **refname,
1004     uint8_t *old_id, uint8_t *new_id, char *buf, size_t len)
1005 {
1006 	const struct got_error *err;
1007 	char *old_id_str = NULL, *new_id_str = NULL;
1008 	char *client_capabilities = NULL;
1009 
1010 	*refname = NULL;
1011 
1012 	err = got_gitproto_parse_ref_update_line(&old_id_str, &new_id_str,
1013 	    refname, &client_capabilities, buf, len);
1014 	if (err)
1015 		return err;
1016 
1017 	if (!got_parse_sha1_digest(old_id, old_id_str) ||
1018 	    !got_parse_sha1_digest(new_id, new_id_str)) {
1019 		err = got_error_msg(GOT_ERR_BAD_PACKET,
1020 		    "ref-update with bad object ID");
1021 		goto done;
1022 	}
1023 	if (!got_ref_name_is_valid(*refname)) {
1024 		err = got_error_msg(GOT_ERR_BAD_PACKET,
1025 		    "ref-update with bad reference name");
1026 		goto done;
1027 	}
1028 
1029 	if (client_capabilities) {
1030 		err = got_gitproto_match_capabilities(common_capabilities,
1031 		    NULL, client_capabilities, write_capabilities,
1032 		    nitems(write_capabilities));
1033 		if (err)
1034 			goto done;
1035 	}
1036 done:
1037 	free(old_id_str);
1038 	free(new_id_str);
1039 	free(client_capabilities);
1040 	if (err) {
1041 		free(*refname);
1042 		*refname = NULL;
1043 	}
1044 	return err;
1045 }
1046 
1047 static const struct got_error *
1048 recv_ref_update(int *report_status, int outfd, struct imsgbuf *ibuf,
1049     char *buf, size_t len, int expect_capabilities, int chattygot)
1050 {
1051 	const struct got_error *err;
1052 	struct gotd_imsg_ref_update iref;
1053 	struct ibuf *wbuf;
1054 	char *capabilities_str = NULL, *refname = NULL;
1055 	int done = 0;
1056 	struct imsg imsg;
1057 
1058 	memset(&iref, 0, sizeof(iref));
1059 	memset(&imsg, 0, sizeof(imsg));
1060 
1061 	err = parse_ref_update_line(&capabilities_str, &refname,
1062 	    iref.old_id, iref.new_id, buf, len);
1063 	if (err)
1064 		return err;
1065 
1066 	if (capabilities_str) {
1067 		if (!expect_capabilities) {
1068 			err = got_error_msg(GOT_ERR_BAD_PACKET,
1069 			    "unexpected capability announcement received");
1070 			goto done;
1071 		}
1072 		err = send_capabilities(NULL, report_status, capabilities_str,
1073 		    ibuf);
1074 		if (err)
1075 			goto done;
1076 	}
1077 
1078 	iref.name_len = strlen(refname);
1079 	len = sizeof(iref) + iref.name_len;
1080 	wbuf = imsg_create(ibuf, GOTD_IMSG_REF_UPDATE, 0, 0, len);
1081 	if (wbuf == NULL) {
1082 		err = got_error_from_errno("imsg_create REF_UPDATE");
1083 		goto done;
1084 	}
1085 
1086 	if (imsg_add(wbuf, &iref, sizeof(iref)) == -1)
1087 		return got_error_from_errno("imsg_add REF_UPDATE");
1088 	if (imsg_add(wbuf, refname, iref.name_len) == -1)
1089 		return got_error_from_errno("imsg_add REF_UPDATE");
1090 	wbuf->fd = -1;
1091 	imsg_close(ibuf, wbuf);
1092 
1093 	err = gotd_imsg_flush(ibuf);
1094 	if (err)
1095 		goto done;
1096 
1097 	/* Wait for ACK or an error. */
1098 	while (!done && err == NULL) {
1099 		err = gotd_imsg_poll_recv(&imsg, ibuf, 0);
1100 		if (err)
1101 			break;
1102 		switch (imsg.hdr.type) {
1103 		case GOTD_IMSG_ERROR:
1104 			err = gotd_imsg_recv_error(NULL, &imsg);
1105 			break;
1106 		case GOTD_IMSG_ACK:
1107 			err = recv_ack(&imsg, iref.new_id);
1108 			if (err)
1109 				break;
1110 			done = 1;
1111 			break;
1112 		default:
1113 			err = got_error(GOT_ERR_PRIVSEP_MSG);
1114 			break;
1115 		}
1116 
1117 		imsg_free(&imsg);
1118 	}
1119 done:
1120 	free(capabilities_str);
1121 	free(refname);
1122 	return err;
1123 }
1124 
1125 static const struct got_error *
1126 recv_packfile(struct imsg *imsg, int infd)
1127 {
1128 	const struct got_error *err = NULL;
1129 	size_t datalen;
1130 	int packfd;
1131 	char buf[GOT_PKT_MAX];
1132 	int pack_done = 0;
1133 
1134 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1135 	if (datalen != 0)
1136 		return got_error(GOT_ERR_PRIVSEP_MSG);
1137 
1138 	if (imsg->fd == -1)
1139 		return got_error(GOT_ERR_PRIVSEP_NO_FD);
1140 	
1141 	packfd = imsg->fd;
1142 	while (!pack_done) {
1143 		ssize_t r = 0;
1144 
1145 		err = got_poll_fd(infd, POLLIN, 1);
1146 		if (err) {
1147 			if (err->code != GOT_ERR_TIMEOUT)
1148 				break;
1149 			err = NULL;
1150 		} else {
1151 			r = read(infd, buf, sizeof(buf));
1152 			if (r == -1) {
1153 				err = got_error_from_errno("read");
1154 				break;
1155 			}
1156 			if (r == 0) {
1157 				/*
1158 				 * Git clients hang up their side of the
1159 				 * connection after sending the pack file.
1160 				 */
1161 				err = NULL;
1162 				pack_done = 1;
1163 				break;
1164 			}
1165 		}
1166 
1167 		if (r == 0) {
1168 			/* Detect gotd(8) closing the pack pipe when done. */
1169 			err = got_poll_fd(packfd, POLLOUT, 1);
1170 			if (err) {
1171 				if (err->code != GOT_ERR_EOF)
1172 					break;
1173 				err = NULL;
1174 				pack_done = 1;
1175 			}
1176 		} else {
1177 			/* Write pack data and/or detect pipe being closed. */
1178 			err = got_poll_write_full(packfd, buf, r);
1179 			if (err) {
1180 				if (err->code == GOT_ERR_EOF)
1181 					err = NULL;
1182 				break;
1183 			}
1184 		}
1185 	}
1186 
1187 	close(packfd);
1188 	return err;
1189 }
1190 
1191 static const struct got_error *
1192 report_unpack_status(struct imsg *imsg, int outfd, int chattygot)
1193 {
1194 	const struct got_error *err = NULL;
1195 	struct gotd_imsg_packfile_status istatus;
1196 	char buf[GOT_PKT_MAX];
1197 	size_t datalen, len;
1198 	char *reason = NULL;
1199 
1200 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1201 	if (datalen < sizeof(istatus))
1202 		return got_error(GOT_ERR_PRIVSEP_LEN);
1203 	memcpy(&istatus, imsg->data, sizeof(istatus));
1204 	if (datalen != sizeof(istatus) + istatus.reason_len)
1205 		return got_error(GOT_ERR_PRIVSEP_LEN);
1206 
1207 	reason = malloc(istatus.reason_len + 1);
1208 	if (reason == NULL) {
1209 		err = got_error_from_errno("malloc");
1210 		goto done;
1211 	}
1212 	memcpy(reason, imsg->data + sizeof(istatus), istatus.reason_len);
1213 	reason[istatus.reason_len] = '\0';
1214 
1215 	if (err == NULL)
1216 		len = snprintf(buf, sizeof(buf), "unpack ok\n");
1217 	else
1218 		len = snprintf(buf, sizeof(buf), "unpack %s\n", reason);
1219 	if (len >= sizeof(buf)) {
1220 		err = got_error(GOT_ERR_NO_SPACE);
1221 		goto done;
1222 	}
1223 
1224 	err = got_pkt_writepkt(outfd, buf, len, chattygot);
1225 done:
1226 	free(reason);
1227 	return err;
1228 }
1229 
1230 static const struct got_error *
1231 recv_ref_update_ok(struct imsg *imsg, int outfd, int chattygot)
1232 {
1233 	const struct got_error *err = NULL;
1234 	struct gotd_imsg_ref_update_ok iok;
1235 	size_t datalen, len;
1236 	char buf[GOT_PKT_MAX];
1237 	char *refname = NULL;
1238 
1239 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1240 	if (datalen < sizeof(iok))
1241 		return got_error(GOT_ERR_PRIVSEP_LEN);
1242 	memcpy(&iok, imsg->data, sizeof(iok));
1243 	if (datalen != sizeof(iok) + iok.name_len)
1244 		return got_error(GOT_ERR_PRIVSEP_LEN);
1245 
1246 	memcpy(&iok, imsg->data, sizeof(iok));
1247 
1248 	refname = malloc(iok.name_len + 1);
1249 	if (refname == NULL)
1250 		return got_error_from_errno("malloc");
1251 	memcpy(refname, imsg->data + sizeof(iok), iok.name_len);
1252 	refname[iok.name_len] = '\0';
1253 
1254 	len = snprintf(buf, sizeof(buf), "ok %s\n", refname);
1255 	if (len >= sizeof(buf)) {
1256 		err = got_error(GOT_ERR_NO_SPACE);
1257 		goto done;
1258 	}
1259 
1260 	err = got_pkt_writepkt(outfd, buf, len, chattygot);
1261 done:
1262 	free(refname);
1263 	return err;
1264 }
1265 
1266 static const struct got_error *
1267 recv_ref_update_ng(struct imsg *imsg, int outfd, int chattygot)
1268 {
1269 	const struct got_error *err = NULL;
1270 	struct gotd_imsg_ref_update_ng ing;
1271 	size_t datalen, len;
1272 	char buf[GOT_PKT_MAX];
1273 	char *refname = NULL, *reason = NULL;
1274 
1275 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1276 	if (datalen < sizeof(ing))
1277 		return got_error(GOT_ERR_PRIVSEP_LEN);
1278 	memcpy(&ing, imsg->data, sizeof(ing));
1279 	if (datalen != sizeof(ing) + ing.name_len + ing.reason_len)
1280 		return got_error(GOT_ERR_PRIVSEP_LEN);
1281 
1282 	memcpy(&ing, imsg->data, sizeof(ing));
1283 
1284 	refname = malloc(ing.name_len + 1);
1285 	if (refname == NULL)
1286 		return got_error_from_errno("malloc");
1287 	memcpy(refname, imsg->data + sizeof(ing), ing.name_len);
1288 	refname[ing.name_len] = '\0';
1289 
1290 	reason = malloc(ing.reason_len + 1);
1291 	if (reason == NULL) {
1292 		err = got_error_from_errno("malloc");
1293 		goto done;
1294 	}
1295 	memcpy(refname, imsg->data + sizeof(ing) + ing.name_len,
1296 	    ing.reason_len);
1297 	refname[ing.reason_len] = '\0';
1298 
1299 	len = snprintf(buf, sizeof(buf), "ng %s %s\n", refname, reason);
1300 	if (len >= sizeof(buf)) {
1301 		err = got_error(GOT_ERR_NO_SPACE);
1302 		goto done;
1303 	}
1304 
1305 	err = got_pkt_writepkt(outfd, buf, len, chattygot);
1306 done:
1307 	free(refname);
1308 	free(reason);
1309 	return err;
1310 }
1311 
1312 static const struct got_error *
1313 serve_write(int infd, int outfd, int gotd_sock, const char *repo_path,
1314     int chattygot)
1315 {
1316 	const struct got_error *err = NULL;
1317 	char buf[GOT_PKT_MAX];
1318 	struct imsgbuf ibuf;
1319 	enum protostate {
1320 		STATE_EXPECT_REF_UPDATE,
1321 		STATE_EXPECT_MORE_REF_UPDATES,
1322 		STATE_EXPECT_PACKFILE,
1323 		STATE_PACKFILE_RECEIVED,
1324 		STATE_REFS_UPDATED,
1325 	};
1326 	enum protostate curstate = STATE_EXPECT_REF_UPDATE;
1327 	struct imsg imsg;
1328 	int report_status = 0;
1329 
1330 	imsg_init(&ibuf, gotd_sock);
1331 	memset(&imsg, 0, sizeof(imsg));
1332 
1333 	err = announce_refs(outfd, &ibuf, 0, repo_path, chattygot);
1334 	if (err)
1335 		goto done;
1336 
1337 	while (curstate != STATE_EXPECT_PACKFILE) {
1338 		int n;
1339 		buf[0] = '\0';
1340 		err = got_pkt_readpkt(&n, infd, buf, sizeof(buf), chattygot);
1341 		if (err)
1342 			break;
1343 		if (n == 0) {
1344 			if (curstate != STATE_EXPECT_MORE_REF_UPDATES) {
1345 				err = got_error_msg(GOT_ERR_BAD_PACKET,
1346 				    "unexpected flush packet received");
1347 				goto done;
1348 			}
1349 			err = forward_flushpkt(&ibuf);
1350 			if (err)
1351 				goto done;
1352 			curstate = STATE_EXPECT_PACKFILE;
1353 		} else if (n >= (SHA1_DIGEST_STRING_LENGTH * 2) + 2) {
1354 			if (curstate != STATE_EXPECT_REF_UPDATE &&
1355 			    curstate != STATE_EXPECT_MORE_REF_UPDATES) {
1356 				err = got_error_msg(GOT_ERR_BAD_PACKET,
1357 				    "unexpected ref-update packet");
1358 				goto done;
1359 			}
1360 			if (curstate == STATE_EXPECT_REF_UPDATE) {
1361 				err = recv_ref_update(&report_status,
1362 				    outfd, &ibuf, buf, n, 1, chattygot);
1363 			} else {
1364 				err = recv_ref_update(NULL, outfd, &ibuf,
1365 				    buf, n, 0, chattygot);
1366 			}
1367 			if (err)
1368 				goto done;
1369 			curstate = STATE_EXPECT_MORE_REF_UPDATES;
1370 		} else {
1371 			err = got_error(GOT_ERR_BAD_PACKET);
1372 			goto done;
1373 		}
1374 	}
1375 
1376 	while (curstate != STATE_PACKFILE_RECEIVED) {
1377 		err = gotd_imsg_poll_recv(&imsg, &ibuf, 0);
1378 		if (err)
1379 			goto done;
1380 		switch (imsg.hdr.type) {
1381 		case GOTD_IMSG_ERROR:
1382 			err = gotd_imsg_recv_error(NULL, &imsg);
1383 			goto done;
1384 		case GOTD_IMSG_RECV_PACKFILE:
1385 			err = recv_packfile(&imsg, infd);
1386 			if (err) {
1387 				if (err->code != GOT_ERR_EOF)
1388 					goto done;
1389 				/*
1390 				 * EOF is reported when the client hangs up,
1391 				 * which can happen with Git clients.
1392 				 * The socket should stay half-open so we
1393 				 * can still send our reports if requested.
1394 				 */
1395 				err = NULL;
1396 			}
1397 			curstate = STATE_PACKFILE_RECEIVED;
1398 			break;
1399 		default:
1400 			err = got_error(GOT_ERR_PRIVSEP_MSG);
1401 			break;
1402 		}
1403 
1404 		imsg_free(&imsg);
1405 		if (err)
1406 			goto done;
1407 	}
1408 
1409 	while (curstate != STATE_REFS_UPDATED && err == NULL) {
1410 		err = gotd_imsg_poll_recv(&imsg, &ibuf, 0);
1411 		if (err)
1412 			break;
1413 		switch (imsg.hdr.type) {
1414 		case GOTD_IMSG_ERROR:
1415 			err = gotd_imsg_recv_error(NULL, &imsg);
1416 			break;
1417 		case GOTD_IMSG_PACKFILE_STATUS:
1418 			if (!report_status)
1419 				break;
1420 			err = report_unpack_status(&imsg, outfd, chattygot);
1421 			break;
1422 		case GOTD_IMSG_REF_UPDATE_OK:
1423 			if (!report_status)
1424 				break;
1425 			err = recv_ref_update_ok(&imsg, outfd, chattygot);
1426 			break;
1427 		case GOTD_IMSG_REF_UPDATE_NG:
1428 			if (!report_status)
1429 				break;
1430 			err = recv_ref_update_ng(&imsg, outfd, chattygot);
1431 			break;
1432 		case GOTD_IMSG_REFS_UPDATED:
1433 			curstate = STATE_REFS_UPDATED;
1434 			err = got_pkt_flushpkt(outfd, chattygot);
1435 			break;
1436 		default:
1437 			err = got_error(GOT_ERR_PRIVSEP_MSG);
1438 			break;
1439 		}
1440 
1441 		imsg_free(&imsg);
1442 	}
1443 done:
1444 	imsg_clear(&ibuf);
1445 	if (err)
1446 		echo_error(err, outfd, chattygot);
1447 	return err;
1448 }
1449 
1450 const struct got_error *
1451 got_serve(int infd, int outfd, const char *gitcmd, int gotd_sock, int chattygot)
1452 {
1453 	const struct got_error *err = NULL;
1454 	char *command = NULL, *repo_path = NULL;
1455 
1456 	err = parse_command(&command, &repo_path, gitcmd);
1457 	if (err)
1458 		return err;
1459 
1460 	if (strcmp(command, GOT_SERVE_CMD_FETCH) == 0)
1461 		err = serve_read(infd, outfd, gotd_sock, repo_path, chattygot);
1462 	else if (strcmp(command, GOT_SERVE_CMD_SEND) == 0)
1463 		err = serve_write(infd, outfd, gotd_sock, repo_path, chattygot);
1464 	else
1465 		err = got_error(GOT_ERR_BAD_PACKET);
1466 
1467 	free(command);
1468 	free(repo_path);
1469 	return err;
1470 }