1 /*
2  * Copyright (c) 2018, 2019, 2020 Stefan Sperling <stsp@openbsd.org>
3  * Copyright (c) 2020 Ori Bernstein <ori@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <sys/types.h>
19 #include <sys/queue.h>
20 #include <sys/uio.h>
21 #include <sys/wait.h>
22 
23 #include <ctype.h>
24 #include <limits.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <errno.h>
29 #include <stdint.h>
30 #include <poll.h>
31 #include <imsg.h>
32 #include <sha1.h>
33 #include <unistd.h>
34 #include <zlib.h>
35 #include <time.h>
36 
37 #include "got_object.h"
38 #include "got_error.h"
39 #include "got_path.h"
40 #include "got_repository.h"
41 
42 #include "got_lib_sha1.h"
43 #include "got_lib_delta.h"
44 #include "got_lib_inflate.h"
45 #include "got_lib_object.h"
46 #include "got_lib_object_parse.h"
47 #include "got_lib_privsep.h"
48 #include "got_lib_pack.h"
49 
50 #ifndef MIN
51 #define	MIN(_a,_b) ((_a) < (_b) ? (_a) : (_b))
52 #endif
53 
54 #ifndef nitems
55 #define nitems(_a)	(sizeof((_a)) / sizeof((_a)[0]))
56 #endif
57 
58 static const struct got_error *
59 poll_fd(int fd, int events, int timeout)
60 {
61 	struct pollfd pfd[1];
62 	int n;
63 
64 	pfd[0].fd = fd;
65 	pfd[0].events = events;
66 
67 	n = poll(pfd, 1, timeout);
68 	if (n == -1)
69 		return got_error_from_errno("poll");
70 	if (n == 0)
71 		return got_error(GOT_ERR_TIMEOUT);
72 	if (pfd[0].revents & (POLLERR | POLLNVAL))
73 		return got_error_from_errno("poll error");
74 	if (pfd[0].revents & (events | POLLHUP))
75 		return NULL;
76 
77 	return got_error(GOT_ERR_INTERRUPT);
78 }
79 
80 static const struct got_error *
81 read_imsg(struct imsgbuf *ibuf)
82 {
83 	const struct got_error *err;
84 	size_t n;
85 
86 	err = poll_fd(ibuf->fd, POLLIN, INFTIM);
87 	if (err)
88 		return err;
89 
90 	n = imsg_read(ibuf);
91 	if (n == -1) {
92 		if (errno == EAGAIN) /* Could be a file-descriptor leak. */
93 			return got_error(GOT_ERR_PRIVSEP_NO_FD);
94 		return got_error(GOT_ERR_PRIVSEP_READ);
95 	}
96 	if (n == 0)
97 		return got_error(GOT_ERR_PRIVSEP_PIPE);
98 
99 	return NULL;
100 }
101 
102 const struct got_error *
103 got_privsep_wait_for_child(pid_t pid)
104 {
105 	int child_status;
106 
107 	if (waitpid(pid, &child_status, 0) == -1)
108 		return got_error_from_errno("waitpid");
109 
110 	if (!WIFEXITED(child_status))
111 		return got_error(GOT_ERR_PRIVSEP_DIED);
112 
113 	if (WEXITSTATUS(child_status) != 0)
114 		return got_error(GOT_ERR_PRIVSEP_EXIT);
115 
116 	return NULL;
117 }
118 
119 static const struct got_error *
120 recv_imsg_error(struct imsg *imsg, size_t datalen)
121 {
122 	struct got_imsg_error *ierr;
123 
124 	if (datalen != sizeof(*ierr))
125 		return got_error(GOT_ERR_PRIVSEP_LEN);
126 
127 	ierr = imsg->data;
128 	if (ierr->code == GOT_ERR_ERRNO) {
129 		static struct got_error serr;
130 		serr.code = GOT_ERR_ERRNO;
131 		serr.msg = strerror(ierr->errno_code);
132 		return &serr;
133 	}
134 
135 	return got_error(ierr->code);
136 }
137 
138 const struct got_error *
139 got_privsep_recv_imsg(struct imsg *imsg, struct imsgbuf *ibuf,
140     size_t min_datalen)
141 {
142 	const struct got_error *err;
143 	ssize_t n;
144 
145 	n = imsg_get(ibuf, imsg);
146 	if (n == -1)
147 		return got_error_from_errno("imsg_get");
148 
149 	while (n == 0) {
150 		err = read_imsg(ibuf);
151 		if (err)
152 			return err;
153 		n = imsg_get(ibuf, imsg);
154 		if (n == -1)
155 			return got_error_from_errno("imsg_get");
156 	}
157 
158 	if (imsg->hdr.len < IMSG_HEADER_SIZE + min_datalen)
159 		return got_error(GOT_ERR_PRIVSEP_LEN);
160 
161 	if (imsg->hdr.type == GOT_IMSG_ERROR) {
162 		size_t datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
163 		return recv_imsg_error(imsg, datalen);
164 	}
165 
166 	return NULL;
167 }
168 
169 /* Attempt to send an error in an imsg. Complain on stderr as a last resort. */
170 void
171 got_privsep_send_error(struct imsgbuf *ibuf, const struct got_error *err)
172 {
173 	const struct got_error *poll_err;
174 	struct got_imsg_error ierr;
175 	int ret;
176 
177 	ierr.code = err->code;
178 	if (err->code == GOT_ERR_ERRNO)
179 		ierr.errno_code = errno;
180 	else
181 		ierr.errno_code = 0;
182 	ret = imsg_compose(ibuf, GOT_IMSG_ERROR, 0, 0, -1, &ierr, sizeof(ierr));
183 	if (ret == -1) {
184 		fprintf(stderr, "%s: error %d \"%s\": imsg_compose: %s\n",
185 		    getprogname(), err->code, err->msg, strerror(errno));
186 		return;
187 	}
188 
189 	poll_err = poll_fd(ibuf->fd, POLLOUT, INFTIM);
190 	if (poll_err) {
191 		fprintf(stderr, "%s: error %d \"%s\": poll: %s\n",
192 		    getprogname(), err->code, err->msg, poll_err->msg);
193 		return;
194 	}
195 
196 	ret = imsg_flush(ibuf);
197 	if (ret == -1) {
198 		fprintf(stderr, "%s: error %d \"%s\": imsg_flush: %s\n",
199 		    getprogname(), err->code, err->msg, strerror(errno));
200 		return;
201 	}
202 }
203 
204 static const struct got_error *
205 flush_imsg(struct imsgbuf *ibuf)
206 {
207 	const struct got_error *err;
208 
209 	err = poll_fd(ibuf->fd, POLLOUT, INFTIM);
210 	if (err)
211 		return err;
212 
213 	if (imsg_flush(ibuf) == -1)
214 		return got_error_from_errno("imsg_flush");
215 
216 	return NULL;
217 }
218 
219 const struct got_error *
220 got_privsep_flush_imsg(struct imsgbuf *ibuf)
221 {
222 	return flush_imsg(ibuf);
223 }
224 
225 const struct got_error *
226 got_privsep_send_stop(int fd)
227 {
228 	const struct got_error *err = NULL;
229 	struct imsgbuf ibuf;
230 
231 	imsg_init(&ibuf, fd);
232 
233 	if (imsg_compose(&ibuf, GOT_IMSG_STOP, 0, 0, -1, NULL, 0) == -1)
234 		return got_error_from_errno("imsg_compose STOP");
235 
236 	err = flush_imsg(&ibuf);
237 	imsg_clear(&ibuf);
238 	return err;
239 }
240 
241 const struct got_error *
242 got_privsep_send_obj_req(struct imsgbuf *ibuf, int fd)
243 {
244 	if (imsg_compose(ibuf, GOT_IMSG_OBJECT_REQUEST, 0, 0, fd, NULL, 0)
245 	    == -1)
246 		return got_error_from_errno("imsg_compose OBJECT_REQUEST");
247 
248 	return flush_imsg(ibuf);
249 }
250 
251 const struct got_error *
252 got_privsep_send_commit_req(struct imsgbuf *ibuf, int fd,
253     struct got_object_id *id, int pack_idx)
254 {
255 	const struct got_error *err = NULL;
256 	struct got_imsg_packed_object iobj, *iobjp;
257 	size_t len;
258 
259 	if (id) { /* commit is packed */
260 		iobj.idx = pack_idx;
261 		memcpy(iobj.id, id->sha1, sizeof(iobj.id));
262 		iobjp = &iobj;
263 		len = sizeof(iobj);
264 	} else {
265 		iobjp = NULL;
266 		len = 0;
267 	}
268 
269 	if (imsg_compose(ibuf, GOT_IMSG_COMMIT_REQUEST, 0, 0, fd, iobjp, len)
270 	    == -1) {
271 		err = got_error_from_errno("imsg_compose COMMIT_REQUEST");
272 		close(fd);
273 		return err;
274 	}
275 
276 	return flush_imsg(ibuf);
277 }
278 
279 const struct got_error *
280 got_privsep_send_tree_req(struct imsgbuf *ibuf, int fd,
281     struct got_object_id *id, int pack_idx)
282 {
283 	const struct got_error *err = NULL;
284 	struct ibuf *wbuf;
285 	size_t len = id ? sizeof(struct got_imsg_packed_object) : 0;
286 
287 	wbuf = imsg_create(ibuf, GOT_IMSG_TREE_REQUEST, 0, 0, len);
288 	if (wbuf == NULL)
289 		return got_error_from_errno("imsg_create TREE_REQUEST");
290 
291 	if (id) { /* tree is packed */
292 		if (imsg_add(wbuf, id->sha1, SHA1_DIGEST_LENGTH) == -1) {
293 			err = got_error_from_errno("imsg_add TREE_ENTRY");
294 			ibuf_free(wbuf);
295 			return err;
296 		}
297 
298 		if (imsg_add(wbuf, &pack_idx, sizeof(pack_idx)) == -1) {
299 			err = got_error_from_errno("imsg_add TREE_ENTRY");
300 			ibuf_free(wbuf);
301 			return err;
302 		}
303 	}
304 
305 	wbuf->fd = fd;
306 	imsg_close(ibuf, wbuf);
307 
308 	return flush_imsg(ibuf);
309 }
310 
311 const struct got_error *
312 got_privsep_send_tag_req(struct imsgbuf *ibuf, int fd,
313     struct got_object_id *id, int pack_idx)
314 {
315 	struct got_imsg_packed_object iobj, *iobjp;
316 	size_t len;
317 
318 	if (id) { /* tag is packed */
319 		iobj.idx = pack_idx;
320 		memcpy(iobj.id, id->sha1, sizeof(iobj.id));
321 		iobjp = &iobj;
322 		len = sizeof(iobj);
323 	} else {
324 		iobjp = NULL;
325 		len = 0;
326 	}
327 
328 	if (imsg_compose(ibuf, GOT_IMSG_TAG_REQUEST, 0, 0, fd, iobjp, len)
329 	    == -1)
330 		return got_error_from_errno("imsg_compose TAG_REQUEST");
331 
332 	return flush_imsg(ibuf);
333 }
334 
335 const struct got_error *
336 got_privsep_send_blob_req(struct imsgbuf *ibuf, int infd,
337     struct got_object_id *id, int pack_idx)
338 {
339 	const struct got_error *err = NULL;
340 	struct got_imsg_packed_object iobj, *iobjp;
341 	size_t len;
342 
343 	if (id) { /* blob is packed */
344 		iobj.idx = pack_idx;
345 		memcpy(iobj.id, id->sha1, sizeof(iobj.id));
346 		iobjp = &iobj;
347 		len = sizeof(iobj);
348 	} else {
349 		iobjp = NULL;
350 		len = 0;
351 	}
352 
353 	if (imsg_compose(ibuf, GOT_IMSG_BLOB_REQUEST, 0, 0, infd, iobjp, len)
354 	    == -1) {
355 		err = got_error_from_errno("imsg_compose BLOB_REQUEST");
356 		close(infd);
357 		return err;
358 	}
359 
360 	return flush_imsg(ibuf);
361 }
362 
363 const struct got_error *
364 got_privsep_send_blob_outfd(struct imsgbuf *ibuf, int outfd)
365 {
366 	const struct got_error *err = NULL;
367 
368 	if (imsg_compose(ibuf, GOT_IMSG_BLOB_OUTFD, 0, 0, outfd, NULL, 0)
369 	    == -1) {
370 		err = got_error_from_errno("imsg_compose BLOB_OUTFD");
371 		close(outfd);
372 		return err;
373 	}
374 
375 	return flush_imsg(ibuf);
376 }
377 
378 static const struct got_error *
379 send_fd(struct imsgbuf *ibuf, int imsg_code, int fd)
380 {
381 	const struct got_error *err = NULL;
382 
383 	if (imsg_compose(ibuf, imsg_code, 0, 0, fd, NULL, 0) == -1) {
384 		err = got_error_from_errno("imsg_compose TMPFD");
385 		close(fd);
386 		return err;
387 	}
388 
389 	return flush_imsg(ibuf);
390 }
391 
392 const struct got_error *
393 got_privsep_send_tmpfd(struct imsgbuf *ibuf, int fd)
394 {
395 	return send_fd(ibuf, GOT_IMSG_TMPFD, fd);
396 }
397 
398 const struct got_error *
399 got_privsep_send_obj(struct imsgbuf *ibuf, struct got_object *obj)
400 {
401 	struct got_imsg_object iobj;
402 
403 	memcpy(iobj.id, obj->id.sha1, sizeof(iobj.id));
404 	iobj.type = obj->type;
405 	iobj.flags = obj->flags;
406 	iobj.hdrlen = obj->hdrlen;
407 	iobj.size = obj->size;
408 	if (iobj.flags & GOT_OBJ_FLAG_PACKED) {
409 		iobj.pack_offset = obj->pack_offset;
410 		iobj.pack_idx = obj->pack_idx;
411 	}
412 
413 	if (imsg_compose(ibuf, GOT_IMSG_OBJECT, 0, 0, -1, &iobj, sizeof(iobj))
414 	    == -1)
415 		return got_error_from_errno("imsg_compose OBJECT");
416 
417 	return flush_imsg(ibuf);
418 }
419 
420 const struct got_error *
421 got_privsep_send_fetch_req(struct imsgbuf *ibuf, int fd,
422    struct got_pathlist_head *have_refs, int fetch_all_branches,
423    struct got_pathlist_head *wanted_branches,
424    struct got_pathlist_head *wanted_refs, int list_refs_only, int verbosity)
425 {
426 	const struct got_error *err = NULL;
427 	struct ibuf *wbuf;
428 	size_t len;
429 	struct got_pathlist_entry *pe;
430 	struct got_imsg_fetch_request fetchreq;
431 
432 	memset(&fetchreq, 0, sizeof(fetchreq));
433 	fetchreq.fetch_all_branches = fetch_all_branches;
434 	fetchreq.list_refs_only = list_refs_only;
435 	fetchreq.verbosity = verbosity;
436 	TAILQ_FOREACH(pe, have_refs, entry)
437 		fetchreq.n_have_refs++;
438 	TAILQ_FOREACH(pe, wanted_branches, entry)
439 		fetchreq.n_wanted_branches++;
440 	TAILQ_FOREACH(pe, wanted_refs, entry)
441 		fetchreq.n_wanted_refs++;
442 	len = sizeof(struct got_imsg_fetch_request);
443 	if (len >= MAX_IMSGSIZE - IMSG_HEADER_SIZE) {
444 		close(fd);
445 		return got_error(GOT_ERR_NO_SPACE);
446 	}
447 
448 	if (imsg_compose(ibuf, GOT_IMSG_FETCH_REQUEST, 0, 0, fd,
449 	    &fetchreq, sizeof(fetchreq)) == -1)
450 		return got_error_from_errno(
451 		    "imsg_compose FETCH_SERVER_PROGRESS");
452 
453 	err = flush_imsg(ibuf);
454 	if (err) {
455 		close(fd);
456 		return err;
457 	}
458 	fd = -1;
459 
460 	TAILQ_FOREACH(pe, have_refs, entry) {
461 		const char *name = pe->path;
462 		size_t name_len = pe->path_len;
463 		struct got_object_id *id = pe->data;
464 
465 		len = sizeof(struct got_imsg_fetch_have_ref) + name_len;
466 		wbuf = imsg_create(ibuf, GOT_IMSG_FETCH_HAVE_REF, 0, 0, len);
467 		if (wbuf == NULL)
468 			return got_error_from_errno("imsg_create FETCH_HAVE_REF");
469 
470 		/* Keep in sync with struct got_imsg_fetch_have_ref! */
471 		if (imsg_add(wbuf, id->sha1, sizeof(id->sha1)) == -1) {
472 			err = got_error_from_errno("imsg_add FETCH_HAVE_REF");
473 			ibuf_free(wbuf);
474 			return err;
475 		}
476 		if (imsg_add(wbuf, &name_len, sizeof(name_len)) == -1) {
477 			err = got_error_from_errno("imsg_add FETCH_HAVE_REF");
478 			ibuf_free(wbuf);
479 			return err;
480 		}
481 		if (imsg_add(wbuf, name, name_len) == -1) {
482 			err = got_error_from_errno("imsg_add FETCH_HAVE_REF");
483 			ibuf_free(wbuf);
484 			return err;
485 		}
486 
487 		wbuf->fd = -1;
488 		imsg_close(ibuf, wbuf);
489 		err = flush_imsg(ibuf);
490 		if (err)
491 			return err;
492 	}
493 
494 	TAILQ_FOREACH(pe, wanted_branches, entry) {
495 		const char *name = pe->path;
496 		size_t name_len = pe->path_len;
497 
498 		len = sizeof(struct got_imsg_fetch_wanted_branch) + name_len;
499 		wbuf = imsg_create(ibuf, GOT_IMSG_FETCH_WANTED_BRANCH, 0, 0,
500 		    len);
501 		if (wbuf == NULL)
502 			return got_error_from_errno(
503 			    "imsg_create FETCH_WANTED_BRANCH");
504 
505 		/* Keep in sync with struct got_imsg_fetch_wanted_branch! */
506 		if (imsg_add(wbuf, &name_len, sizeof(name_len)) == -1) {
507 			err = got_error_from_errno(
508 			    "imsg_add FETCH_WANTED_BRANCH");
509 			ibuf_free(wbuf);
510 			return err;
511 		}
512 		if (imsg_add(wbuf, name, name_len) == -1) {
513 			err = got_error_from_errno(
514 			    "imsg_add FETCH_WANTED_BRANCH");
515 			ibuf_free(wbuf);
516 			return err;
517 		}
518 
519 		wbuf->fd = -1;
520 		imsg_close(ibuf, wbuf);
521 		err = flush_imsg(ibuf);
522 		if (err)
523 			return err;
524 	}
525 
526 	TAILQ_FOREACH(pe, wanted_refs, entry) {
527 		const char *name = pe->path;
528 		size_t name_len = pe->path_len;
529 
530 		len = sizeof(struct got_imsg_fetch_wanted_ref) + name_len;
531 		wbuf = imsg_create(ibuf, GOT_IMSG_FETCH_WANTED_REF, 0, 0,
532 		    len);
533 		if (wbuf == NULL)
534 			return got_error_from_errno(
535 			    "imsg_create FETCH_WANTED_REF");
536 
537 		/* Keep in sync with struct got_imsg_fetch_wanted_ref! */
538 		if (imsg_add(wbuf, &name_len, sizeof(name_len)) == -1) {
539 			err = got_error_from_errno(
540 			    "imsg_add FETCH_WANTED_REF");
541 			ibuf_free(wbuf);
542 			return err;
543 		}
544 		if (imsg_add(wbuf, name, name_len) == -1) {
545 			err = got_error_from_errno(
546 			    "imsg_add FETCH_WANTED_REF");
547 			ibuf_free(wbuf);
548 			return err;
549 		}
550 
551 		wbuf->fd = -1;
552 		imsg_close(ibuf, wbuf);
553 		err = flush_imsg(ibuf);
554 		if (err)
555 			return err;
556 	}
557 
558 
559 	return NULL;
560 
561 }
562 
563 const struct got_error *
564 got_privsep_send_fetch_outfd(struct imsgbuf *ibuf, int fd)
565 {
566 	return send_fd(ibuf, GOT_IMSG_FETCH_OUTFD, fd);
567 }
568 
569 const struct got_error *
570 got_privsep_recv_fetch_progress(int *done, struct got_object_id **id,
571     char **refname, struct got_pathlist_head *symrefs, char **server_progress,
572     off_t *packfile_size, uint8_t *pack_sha1, struct imsgbuf *ibuf)
573 {
574 	const struct got_error *err = NULL;
575 	struct imsg imsg;
576 	size_t datalen;
577 	struct got_imsg_fetch_symrefs *isymrefs = NULL;
578 	size_t n, remain;
579 	off_t off;
580 	int i;
581 
582 	*done = 0;
583 	*id = NULL;
584 	*refname = NULL;
585 	*server_progress = NULL;
586 	*packfile_size = 0;
587 	memset(pack_sha1, 0, SHA1_DIGEST_LENGTH);
588 
589 	err = got_privsep_recv_imsg(&imsg, ibuf, 0);
590 	if (err)
591 		return err;
592 
593 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
594 	switch (imsg.hdr.type) {
595 	case GOT_IMSG_ERROR:
596 		if (datalen < sizeof(struct got_imsg_error)) {
597 			err = got_error(GOT_ERR_PRIVSEP_LEN);
598 			break;
599 		}
600 		err = recv_imsg_error(&imsg, datalen);
601 		break;
602 	case GOT_IMSG_FETCH_SYMREFS:
603 		if (datalen < sizeof(*isymrefs)) {
604 			err = got_error(GOT_ERR_PRIVSEP_LEN);
605 			break;
606 		}
607 		if (isymrefs != NULL) {
608 			err = got_error(GOT_ERR_PRIVSEP_MSG);
609 			break;
610 		}
611 		isymrefs = (struct got_imsg_fetch_symrefs *)imsg.data;
612 		off = sizeof(*isymrefs);
613 		remain = datalen - off;
614 		for (n = 0; n < isymrefs->nsymrefs; n++) {
615 			struct got_imsg_fetch_symref *s;
616 			char *name, *target;
617 			if (remain < sizeof(struct got_imsg_fetch_symref)) {
618 				err = got_error(GOT_ERR_PRIVSEP_LEN);
619 				goto done;
620 			}
621 			s = (struct got_imsg_fetch_symref *)(imsg.data + off);
622 			off += sizeof(*s);
623 			remain -= sizeof(*s);
624 			if (remain < s->name_len) {
625 				err = got_error(GOT_ERR_PRIVSEP_LEN);
626 				goto done;
627 			}
628 			name = strndup(imsg.data + off, s->name_len);
629 			if (name == NULL) {
630 				err = got_error_from_errno("strndup");
631 				goto done;
632 			}
633 			off += s->name_len;
634 			remain -= s->name_len;
635 			if (remain < s->target_len) {
636 				err = got_error(GOT_ERR_PRIVSEP_LEN);
637 				free(name);
638 				goto done;
639 			}
640 			target = strndup(imsg.data + off, s->target_len);
641 			if (target == NULL) {
642 				err = got_error_from_errno("strndup");
643 				free(name);
644 				goto done;
645 			}
646 			off += s->target_len;
647 			remain -= s->target_len;
648 			err = got_pathlist_append(symrefs, name, target);
649 			if (err) {
650 				free(name);
651 				free(target);
652 				goto done;
653 			}
654 		}
655 		break;
656 	case GOT_IMSG_FETCH_REF:
657 		if (datalen <= SHA1_DIGEST_LENGTH) {
658 			err = got_error(GOT_ERR_PRIVSEP_MSG);
659 			break;
660 		}
661 		*id = malloc(sizeof(**id));
662 		if (*id == NULL) {
663 			err = got_error_from_errno("malloc");
664 			break;
665 		}
666 		memcpy((*id)->sha1, imsg.data, SHA1_DIGEST_LENGTH);
667 		*refname = strndup(imsg.data + SHA1_DIGEST_LENGTH,
668 		    datalen - SHA1_DIGEST_LENGTH);
669 		if (*refname == NULL) {
670 			err = got_error_from_errno("strndup");
671 			break;
672 		}
673 		break;
674 	case GOT_IMSG_FETCH_SERVER_PROGRESS:
675 		if (datalen == 0) {
676 			err = got_error(GOT_ERR_PRIVSEP_LEN);
677 			break;
678 		}
679 		*server_progress = strndup(imsg.data, datalen);
680 		if (*server_progress == NULL) {
681 			err = got_error_from_errno("strndup");
682 			break;
683 		}
684 		for (i = 0; i < datalen; i++) {
685 			if (!isprint((unsigned char)(*server_progress)[i]) &&
686 			    !isspace((unsigned char)(*server_progress)[i])) {
687 				err = got_error(GOT_ERR_PRIVSEP_MSG);
688 				free(*server_progress);
689 				*server_progress = NULL;
690 				goto done;
691 			}
692 		}
693 		break;
694 	case GOT_IMSG_FETCH_DOWNLOAD_PROGRESS:
695 		if (datalen < sizeof(*packfile_size)) {
696 			err = got_error(GOT_ERR_PRIVSEP_MSG);
697 			break;
698 		}
699 		memcpy(packfile_size, imsg.data, sizeof(*packfile_size));
700 		break;
701 	case GOT_IMSG_FETCH_DONE:
702 		if (datalen != SHA1_DIGEST_LENGTH) {
703 			err = got_error(GOT_ERR_PRIVSEP_MSG);
704 			break;
705 		}
706 		memcpy(pack_sha1, imsg.data, SHA1_DIGEST_LENGTH);
707 		*done = 1;
708 		break;
709 	default:
710 		err = got_error(GOT_ERR_PRIVSEP_MSG);
711 		break;
712 	}
713 done:
714 	if (err) {
715 		free(*id);
716 		*id = NULL;
717 		free(*refname);
718 		*refname = NULL;
719 	}
720 	imsg_free(&imsg);
721 	return err;
722 }
723 
724 const struct got_error *
725 got_privsep_send_index_pack_req(struct imsgbuf *ibuf, uint8_t *pack_sha1,
726     int fd)
727 {
728 	const struct got_error *err = NULL;
729 
730 	/* Keep in sync with struct got_imsg_index_pack_request */
731 	if (imsg_compose(ibuf, GOT_IMSG_IDXPACK_REQUEST, 0, 0, fd,
732 	    pack_sha1, SHA1_DIGEST_LENGTH) == -1) {
733 		err = got_error_from_errno("imsg_compose INDEX_REQUEST");
734 		close(fd);
735 		return err;
736 	}
737 	return flush_imsg(ibuf);
738 }
739 
740 const struct got_error *
741 got_privsep_send_index_pack_outfd(struct imsgbuf *ibuf, int fd)
742 {
743 	return send_fd(ibuf, GOT_IMSG_IDXPACK_OUTFD, fd);
744 }
745 
746 const struct got_error *
747 got_privsep_recv_index_progress(int *done, int *nobj_total,
748     int *nobj_indexed, int *nobj_loose, int *nobj_resolved,
749     struct imsgbuf *ibuf)
750 {
751 	const struct got_error *err = NULL;
752 	struct imsg imsg;
753 	struct got_imsg_index_pack_progress *iprogress;
754 	size_t datalen;
755 
756 	*done = 0;
757 	*nobj_total = 0;
758 	*nobj_indexed = 0;
759 	*nobj_resolved = 0;
760 
761 	err = got_privsep_recv_imsg(&imsg, ibuf, 0);
762 	if (err)
763 		return err;
764 
765 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
766 	switch (imsg.hdr.type) {
767 	case GOT_IMSG_ERROR:
768 		if (datalen < sizeof(struct got_imsg_error)) {
769 			err = got_error(GOT_ERR_PRIVSEP_LEN);
770 			break;
771 		}
772 		err = recv_imsg_error(&imsg, datalen);
773 		break;
774 	case GOT_IMSG_IDXPACK_PROGRESS:
775 		if (datalen < sizeof(*iprogress)) {
776 			err = got_error(GOT_ERR_PRIVSEP_LEN);
777 			break;
778 		}
779 		iprogress = (struct got_imsg_index_pack_progress *)imsg.data;
780 		*nobj_total = iprogress->nobj_total;
781 		*nobj_indexed = iprogress->nobj_indexed;
782 		*nobj_loose = iprogress->nobj_loose;
783 		*nobj_resolved = iprogress->nobj_resolved;
784 		break;
785 	case GOT_IMSG_IDXPACK_DONE:
786 		if (datalen != 0) {
787 			err = got_error(GOT_ERR_PRIVSEP_LEN);
788 			break;
789 		}
790 		*done = 1;
791 		break;
792 	default:
793 		err = got_error(GOT_ERR_PRIVSEP_MSG);
794 		break;
795 	}
796 
797 	imsg_free(&imsg);
798 	return err;
799 }
800 
801 const struct got_error *
802 got_privsep_get_imsg_obj(struct got_object **obj, struct imsg *imsg,
803     struct imsgbuf *ibuf)
804 {
805 	const struct got_error *err = NULL;
806 	struct got_imsg_object *iobj;
807 	size_t datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
808 
809 	if (datalen != sizeof(*iobj))
810 		return got_error(GOT_ERR_PRIVSEP_LEN);
811 	iobj = imsg->data;
812 
813 	*obj = calloc(1, sizeof(**obj));
814 	if (*obj == NULL)
815 		return got_error_from_errno("calloc");
816 
817 	memcpy((*obj)->id.sha1, iobj->id, SHA1_DIGEST_LENGTH);
818 	(*obj)->type = iobj->type;
819 	(*obj)->flags = iobj->flags;
820 	(*obj)->hdrlen = iobj->hdrlen;
821 	(*obj)->size = iobj->size;
822 	/* path_packfile is handled by caller */
823 	if (iobj->flags & GOT_OBJ_FLAG_PACKED) {
824 		(*obj)->pack_offset = iobj->pack_offset;
825 		(*obj)->pack_idx = iobj->pack_idx;
826 	}
827 
828 	return err;
829 }
830 
831 const struct got_error *
832 got_privsep_recv_obj(struct got_object **obj, struct imsgbuf *ibuf)
833 {
834 	const struct got_error *err = NULL;
835 	struct imsg imsg;
836 	const size_t min_datalen =
837 	    MIN(sizeof(struct got_imsg_error), sizeof(struct got_imsg_object));
838 
839 	*obj = NULL;
840 
841 	err = got_privsep_recv_imsg(&imsg, ibuf, min_datalen);
842 	if (err)
843 		return err;
844 
845 	switch (imsg.hdr.type) {
846 	case GOT_IMSG_OBJECT:
847 		err = got_privsep_get_imsg_obj(obj, &imsg, ibuf);
848 		break;
849 	default:
850 		err = got_error(GOT_ERR_PRIVSEP_MSG);
851 		break;
852 	}
853 
854 	imsg_free(&imsg);
855 
856 	return err;
857 }
858 
859 static const struct got_error *
860 send_commit_logmsg(struct imsgbuf *ibuf, struct got_commit_object *commit,
861     size_t logmsg_len)
862 {
863 	const struct got_error *err = NULL;
864 	size_t offset, remain;
865 
866 	offset = 0;
867 	remain = logmsg_len;
868 	while (remain > 0) {
869 		size_t n = MIN(MAX_IMSGSIZE - IMSG_HEADER_SIZE, remain);
870 
871 		if (imsg_compose(ibuf, GOT_IMSG_COMMIT_LOGMSG, 0, 0, -1,
872 		    commit->logmsg + offset, n) == -1) {
873 			err = got_error_from_errno("imsg_compose "
874 			    "COMMIT_LOGMSG");
875 			break;
876 		}
877 
878 		err = flush_imsg(ibuf);
879 		if (err)
880 			break;
881 
882 		offset += n;
883 		remain -= n;
884 	}
885 
886 	return err;
887 }
888 
889 const struct got_error *
890 got_privsep_send_commit(struct imsgbuf *ibuf, struct got_commit_object *commit)
891 {
892 	const struct got_error *err = NULL;
893 	struct got_imsg_commit_object *icommit;
894 	uint8_t *buf;
895 	size_t len, total;
896 	struct got_object_qid *qid;
897 	size_t author_len = strlen(commit->author);
898 	size_t committer_len = strlen(commit->committer);
899 	size_t logmsg_len = strlen(commit->logmsg);
900 
901 	total = sizeof(*icommit) + author_len + committer_len +
902 	    commit->nparents * SHA1_DIGEST_LENGTH;
903 
904 	buf = malloc(total);
905 	if (buf == NULL)
906 		return got_error_from_errno("malloc");
907 
908 	icommit = (struct got_imsg_commit_object *)buf;
909 	memcpy(icommit->tree_id, commit->tree_id->sha1,
910 	    sizeof(icommit->tree_id));
911 	icommit->author_len = author_len;
912 	icommit->author_time = commit->author_time;
913 	icommit->author_gmtoff = commit->author_gmtoff;
914 	icommit->committer_len = committer_len;
915 	icommit->committer_time = commit->committer_time;
916 	icommit->committer_gmtoff = commit->committer_gmtoff;
917 	icommit->logmsg_len = logmsg_len;
918 	icommit->nparents = commit->nparents;
919 
920 	len = sizeof(*icommit);
921 	memcpy(buf + len, commit->author, author_len);
922 	len += author_len;
923 	memcpy(buf + len, commit->committer, committer_len);
924 	len += committer_len;
925 	SIMPLEQ_FOREACH(qid, &commit->parent_ids, entry) {
926 		memcpy(buf + len, qid->id, SHA1_DIGEST_LENGTH);
927 		len += SHA1_DIGEST_LENGTH;
928 	}
929 
930 	if (imsg_compose(ibuf, GOT_IMSG_COMMIT, 0, 0, -1, buf, len) == -1) {
931 		err = got_error_from_errno("imsg_compose COMMIT");
932 		goto done;
933 	}
934 
935 	if (logmsg_len == 0 ||
936 	    logmsg_len + len > MAX_IMSGSIZE - IMSG_HEADER_SIZE) {
937 		err = flush_imsg(ibuf);
938 		if (err)
939 			goto done;
940 	}
941 	err = send_commit_logmsg(ibuf, commit, logmsg_len);
942 done:
943 	free(buf);
944 	return err;
945 }
946 
947 static const struct got_error *
948 get_commit_from_imsg(struct got_commit_object **commit,
949     struct imsg *imsg, size_t datalen, struct imsgbuf *ibuf)
950 {
951 	const struct got_error *err = NULL;
952 	struct got_imsg_commit_object *icommit;
953 	size_t len = 0;
954 	int i;
955 
956 	if (datalen < sizeof(*icommit))
957 		return got_error(GOT_ERR_PRIVSEP_LEN);
958 
959 	icommit = imsg->data;
960 	if (datalen != sizeof(*icommit) + icommit->author_len +
961 	    icommit->committer_len +
962 	    icommit->nparents * SHA1_DIGEST_LENGTH)
963 		return got_error(GOT_ERR_PRIVSEP_LEN);
964 
965 	if (icommit->nparents < 0)
966 		return got_error(GOT_ERR_PRIVSEP_LEN);
967 
968 	len += sizeof(*icommit);
969 
970 	*commit = got_object_commit_alloc_partial();
971 	if (*commit == NULL)
972 		return got_error_from_errno(
973 		    "got_object_commit_alloc_partial");
974 
975 	memcpy((*commit)->tree_id->sha1, icommit->tree_id,
976 	    SHA1_DIGEST_LENGTH);
977 	(*commit)->author_time = icommit->author_time;
978 	(*commit)->author_gmtoff = icommit->author_gmtoff;
979 	(*commit)->committer_time = icommit->committer_time;
980 	(*commit)->committer_gmtoff = icommit->committer_gmtoff;
981 
982 	if (icommit->author_len == 0) {
983 		(*commit)->author = strdup("");
984 		if ((*commit)->author == NULL) {
985 			err = got_error_from_errno("strdup");
986 			goto done;
987 		}
988 	} else {
989 		(*commit)->author = malloc(icommit->author_len + 1);
990 		if ((*commit)->author == NULL) {
991 			err = got_error_from_errno("malloc");
992 			goto done;
993 		}
994 		memcpy((*commit)->author, imsg->data + len,
995 		    icommit->author_len);
996 		(*commit)->author[icommit->author_len] = '\0';
997 	}
998 	len += icommit->author_len;
999 
1000 	if (icommit->committer_len == 0) {
1001 		(*commit)->committer = strdup("");
1002 		if ((*commit)->committer == NULL) {
1003 			err = got_error_from_errno("strdup");
1004 			goto done;
1005 		}
1006 	} else {
1007 		(*commit)->committer =
1008 		    malloc(icommit->committer_len + 1);
1009 		if ((*commit)->committer == NULL) {
1010 			err = got_error_from_errno("malloc");
1011 			goto done;
1012 		}
1013 		memcpy((*commit)->committer, imsg->data + len,
1014 		    icommit->committer_len);
1015 		(*commit)->committer[icommit->committer_len] = '\0';
1016 	}
1017 	len += icommit->committer_len;
1018 
1019 	if (icommit->logmsg_len == 0) {
1020 		(*commit)->logmsg = strdup("");
1021 		if ((*commit)->logmsg == NULL) {
1022 			err = got_error_from_errno("strdup");
1023 			goto done;
1024 		}
1025 	} else {
1026 		size_t offset = 0, remain = icommit->logmsg_len;
1027 
1028 		(*commit)->logmsg = malloc(icommit->logmsg_len + 1);
1029 		if ((*commit)->logmsg == NULL) {
1030 			err = got_error_from_errno("malloc");
1031 			goto done;
1032 		}
1033 		while (remain > 0) {
1034 			struct imsg imsg_log;
1035 			size_t n = MIN(MAX_IMSGSIZE - IMSG_HEADER_SIZE,
1036 			    remain);
1037 
1038 			err = got_privsep_recv_imsg(&imsg_log, ibuf, n);
1039 			if (err)
1040 				goto done;
1041 
1042 			if (imsg_log.hdr.type != GOT_IMSG_COMMIT_LOGMSG) {
1043 				err = got_error(GOT_ERR_PRIVSEP_MSG);
1044 				goto done;
1045 			}
1046 
1047 			memcpy((*commit)->logmsg + offset,
1048 			    imsg_log.data, n);
1049 			imsg_free(&imsg_log);
1050 			offset += n;
1051 			remain -= n;
1052 		}
1053 		(*commit)->logmsg[icommit->logmsg_len] = '\0';
1054 	}
1055 
1056 	for (i = 0; i < icommit->nparents; i++) {
1057 		struct got_object_qid *qid;
1058 
1059 		err = got_object_qid_alloc_partial(&qid);
1060 		if (err)
1061 			break;
1062 		memcpy(qid->id, imsg->data + len +
1063 		    i * SHA1_DIGEST_LENGTH, sizeof(*qid->id));
1064 		SIMPLEQ_INSERT_TAIL(&(*commit)->parent_ids, qid, entry);
1065 		(*commit)->nparents++;
1066 	}
1067 done:
1068 	if (err) {
1069 		got_object_commit_close(*commit);
1070 		*commit = NULL;
1071 	}
1072 	return err;
1073 }
1074 
1075 const struct got_error *
1076 got_privsep_recv_commit(struct got_commit_object **commit, struct imsgbuf *ibuf)
1077 {
1078 	const struct got_error *err = NULL;
1079 	struct imsg imsg;
1080 	size_t datalen;
1081 	const size_t min_datalen =
1082 	    MIN(sizeof(struct got_imsg_error),
1083 	    sizeof(struct got_imsg_commit_object));
1084 
1085 	*commit = NULL;
1086 
1087 	err = got_privsep_recv_imsg(&imsg, ibuf, min_datalen);
1088 	if (err)
1089 		return err;
1090 
1091 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1092 
1093 	switch (imsg.hdr.type) {
1094 	case GOT_IMSG_COMMIT:
1095 		err = get_commit_from_imsg(commit, &imsg, datalen, ibuf);
1096 		break;
1097 	default:
1098 		err = got_error(GOT_ERR_PRIVSEP_MSG);
1099 		break;
1100 	}
1101 
1102 	imsg_free(&imsg);
1103 
1104 	return err;
1105 }
1106 
1107 const struct got_error *
1108 got_privsep_send_tree(struct imsgbuf *ibuf, struct got_pathlist_head *entries,
1109     int nentries)
1110 {
1111 	const struct got_error *err = NULL;
1112 	struct got_imsg_tree_object itree;
1113 	struct got_pathlist_entry *pe;
1114 	size_t totlen;
1115 	int nimsg; /* number of imsg queued in ibuf */
1116 
1117 	itree.nentries = nentries;
1118 	if (imsg_compose(ibuf, GOT_IMSG_TREE, 0, 0, -1, &itree, sizeof(itree))
1119 	    == -1)
1120 		return got_error_from_errno("imsg_compose TREE");
1121 
1122 	totlen = sizeof(itree);
1123 	nimsg = 1;
1124 	TAILQ_FOREACH(pe, entries, entry) {
1125 		const char *name = pe->path;
1126 		struct got_parsed_tree_entry *pte = pe->data;
1127 		struct ibuf *wbuf;
1128 		size_t namelen = strlen(name);
1129 		size_t len = sizeof(struct got_imsg_tree_entry) + namelen;
1130 
1131 		if (len > MAX_IMSGSIZE)
1132 			return got_error(GOT_ERR_NO_SPACE);
1133 
1134 		nimsg++;
1135 		if (totlen + len >= MAX_IMSGSIZE - (IMSG_HEADER_SIZE * nimsg)) {
1136 			err = flush_imsg(ibuf);
1137 			if (err)
1138 				return err;
1139 			nimsg = 0;
1140 		}
1141 
1142 		wbuf = imsg_create(ibuf, GOT_IMSG_TREE_ENTRY, 0, 0, len);
1143 		if (wbuf == NULL)
1144 			return got_error_from_errno("imsg_create TREE_ENTRY");
1145 
1146 		/* Keep in sync with struct got_imsg_tree_object definition! */
1147 		if (imsg_add(wbuf, pte->id, SHA1_DIGEST_LENGTH) == -1) {
1148 			err = got_error_from_errno("imsg_add TREE_ENTRY");
1149 			ibuf_free(wbuf);
1150 			return err;
1151 		}
1152 		if (imsg_add(wbuf, &pte->mode, sizeof(pte->mode)) == -1) {
1153 			err = got_error_from_errno("imsg_add TREE_ENTRY");
1154 			ibuf_free(wbuf);
1155 			return err;
1156 		}
1157 
1158 		if (imsg_add(wbuf, name, namelen) == -1) {
1159 			err = got_error_from_errno("imsg_add TREE_ENTRY");
1160 			ibuf_free(wbuf);
1161 			return err;
1162 		}
1163 
1164 		wbuf->fd = -1;
1165 		imsg_close(ibuf, wbuf);
1166 
1167 		totlen += len;
1168 	}
1169 
1170 	return flush_imsg(ibuf);
1171 }
1172 
1173 const struct got_error *
1174 got_privsep_recv_tree(struct got_tree_object **tree, struct imsgbuf *ibuf)
1175 {
1176 	const struct got_error *err = NULL;
1177 	const size_t min_datalen =
1178 	    MIN(sizeof(struct got_imsg_error),
1179 	    sizeof(struct got_imsg_tree_object));
1180 	struct got_imsg_tree_object *itree;
1181 	int nentries = 0;
1182 
1183 	*tree = NULL;
1184 get_more:
1185 	err = read_imsg(ibuf);
1186 	if (err)
1187 		goto done;
1188 
1189 	for (;;) {
1190 		struct imsg imsg;
1191 		size_t n;
1192 		size_t datalen;
1193 		struct got_imsg_tree_entry *ite;
1194 		struct got_tree_entry *te = NULL;
1195 
1196 		n = imsg_get(ibuf, &imsg);
1197 		if (n == 0) {
1198 			if (*tree && (*tree)->nentries != nentries)
1199 				goto get_more;
1200 			break;
1201 		}
1202 
1203 		if (imsg.hdr.len < IMSG_HEADER_SIZE + min_datalen) {
1204 			imsg_free(&imsg);
1205 			err = got_error(GOT_ERR_PRIVSEP_LEN);
1206 			break;
1207 		}
1208 
1209 		datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1210 
1211 		switch (imsg.hdr.type) {
1212 		case GOT_IMSG_ERROR:
1213 			err = recv_imsg_error(&imsg, datalen);
1214 			break;
1215 		case GOT_IMSG_TREE:
1216 			/* This message should only appear once. */
1217 			if (*tree != NULL) {
1218 				err = got_error(GOT_ERR_PRIVSEP_MSG);
1219 				break;
1220 			}
1221 			if (datalen != sizeof(*itree)) {
1222 				err = got_error(GOT_ERR_PRIVSEP_LEN);
1223 				break;
1224 			}
1225 			itree = imsg.data;
1226 			*tree = malloc(sizeof(**tree));
1227 			if (*tree == NULL) {
1228 				err = got_error_from_errno("malloc");
1229 				break;
1230 			}
1231 			(*tree)->entries = calloc(itree->nentries,
1232 			    sizeof(struct got_tree_entry));
1233 			if ((*tree)->entries == NULL) {
1234 				err = got_error_from_errno("malloc");
1235 				break;
1236 			}
1237 			(*tree)->nentries = itree->nentries;
1238 			(*tree)->refcnt = 0;
1239 			break;
1240 		case GOT_IMSG_TREE_ENTRY:
1241 			/* This message should be preceeded by GOT_IMSG_TREE. */
1242 			if (*tree == NULL) {
1243 				err = got_error(GOT_ERR_PRIVSEP_MSG);
1244 				break;
1245 			}
1246 			if (datalen < sizeof(*ite) || datalen > MAX_IMSGSIZE) {
1247 				err = got_error(GOT_ERR_PRIVSEP_LEN);
1248 				break;
1249 			}
1250 
1251 			/* Remaining data contains the entry's name. */
1252 			datalen -= sizeof(*ite);
1253 			if (datalen == 0 || datalen > MAX_IMSGSIZE) {
1254 				err = got_error(GOT_ERR_PRIVSEP_LEN);
1255 				break;
1256 			}
1257 			ite = imsg.data;
1258 
1259 			if (datalen + 1 > sizeof(te->name)) {
1260 				err = got_error(GOT_ERR_NO_SPACE);
1261 				break;
1262 			}
1263 			te = &(*tree)->entries[nentries];
1264 			memcpy(te->name, imsg.data + sizeof(*ite), datalen);
1265 			te->name[datalen] = '\0';
1266 
1267 			memcpy(te->id.sha1, ite->id, SHA1_DIGEST_LENGTH);
1268 			te->mode = ite->mode;
1269 			te->idx = nentries;
1270 			nentries++;
1271 			break;
1272 		default:
1273 			err = got_error(GOT_ERR_PRIVSEP_MSG);
1274 			break;
1275 		}
1276 
1277 		imsg_free(&imsg);
1278 		if (err)
1279 			break;
1280 	}
1281 done:
1282 	if (*tree && (*tree)->nentries != nentries) {
1283 		if (err == NULL)
1284 			err = got_error(GOT_ERR_PRIVSEP_LEN);
1285 		got_object_tree_close(*tree);
1286 		*tree = NULL;
1287 	}
1288 
1289 	return err;
1290 }
1291 
1292 const struct got_error *
1293 got_privsep_send_blob(struct imsgbuf *ibuf, size_t size, size_t hdrlen,
1294     const uint8_t *data)
1295 {
1296 	struct got_imsg_blob iblob;
1297 
1298 	iblob.size = size;
1299 	iblob.hdrlen = hdrlen;
1300 
1301 	if (data) {
1302 		uint8_t *buf;
1303 
1304 		if (size > GOT_PRIVSEP_INLINE_BLOB_DATA_MAX)
1305 			return got_error(GOT_ERR_NO_SPACE);
1306 
1307 		buf = malloc(sizeof(iblob) + size);
1308 		if (buf == NULL)
1309 			return got_error_from_errno("malloc");
1310 
1311 		memcpy(buf, &iblob, sizeof(iblob));
1312 		memcpy(buf + sizeof(iblob), data, size);
1313 		if (imsg_compose(ibuf, GOT_IMSG_BLOB, 0, 0, -1, buf,
1314 		    sizeof(iblob) + size) == -1) {
1315 			free(buf);
1316 			return got_error_from_errno("imsg_compose BLOB");
1317 		}
1318 		free(buf);
1319 	} else {
1320 		/* Data has already been written to file descriptor. */
1321 		if (imsg_compose(ibuf, GOT_IMSG_BLOB, 0, 0, -1, &iblob,
1322 		    sizeof(iblob)) == -1)
1323 			return got_error_from_errno("imsg_compose BLOB");
1324 	}
1325 
1326 
1327 	return flush_imsg(ibuf);
1328 }
1329 
1330 const struct got_error *
1331 got_privsep_recv_blob(uint8_t **outbuf, size_t *size, size_t *hdrlen,
1332     struct imsgbuf *ibuf)
1333 {
1334 	const struct got_error *err = NULL;
1335 	struct imsg imsg;
1336 	struct got_imsg_blob *iblob;
1337 	size_t datalen;
1338 
1339 	*outbuf = NULL;
1340 
1341 	err = got_privsep_recv_imsg(&imsg, ibuf, 0);
1342 	if (err)
1343 		return err;
1344 
1345 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1346 
1347 	switch (imsg.hdr.type) {
1348 	case GOT_IMSG_BLOB:
1349 		if (datalen < sizeof(*iblob)) {
1350 			err = got_error(GOT_ERR_PRIVSEP_LEN);
1351 			break;
1352 		}
1353 		iblob = imsg.data;
1354 		*size = iblob->size;
1355 		*hdrlen = iblob->hdrlen;
1356 
1357 		if (datalen == sizeof(*iblob)) {
1358 			/* Data has been written to file descriptor. */
1359 			break;
1360 		}
1361 
1362 		if (*size > GOT_PRIVSEP_INLINE_BLOB_DATA_MAX) {
1363 			err = got_error(GOT_ERR_PRIVSEP_LEN);
1364 			break;
1365 		}
1366 
1367 		*outbuf = malloc(*size);
1368 		if (*outbuf == NULL) {
1369 			err = got_error_from_errno("malloc");
1370 			break;
1371 		}
1372 		memcpy(*outbuf, imsg.data + sizeof(*iblob), *size);
1373 		break;
1374 	default:
1375 		err = got_error(GOT_ERR_PRIVSEP_MSG);
1376 		break;
1377 	}
1378 
1379 	imsg_free(&imsg);
1380 
1381 	return err;
1382 }
1383 
1384 static const struct got_error *
1385 send_tagmsg(struct imsgbuf *ibuf, struct got_tag_object *tag, size_t tagmsg_len)
1386 {
1387 	const struct got_error *err = NULL;
1388 	size_t offset, remain;
1389 
1390 	offset = 0;
1391 	remain = tagmsg_len;
1392 	while (remain > 0) {
1393 		size_t n = MIN(MAX_IMSGSIZE - IMSG_HEADER_SIZE, remain);
1394 
1395 		if (imsg_compose(ibuf, GOT_IMSG_TAG_TAGMSG, 0, 0, -1,
1396 		    tag->tagmsg + offset, n) == -1) {
1397 			err = got_error_from_errno("imsg_compose TAG_TAGMSG");
1398 			break;
1399 		}
1400 
1401 		err = flush_imsg(ibuf);
1402 		if (err)
1403 			break;
1404 
1405 		offset += n;
1406 		remain -= n;
1407 	}
1408 
1409 	return err;
1410 }
1411 
1412 const struct got_error *
1413 got_privsep_send_tag(struct imsgbuf *ibuf, struct got_tag_object *tag)
1414 {
1415 	const struct got_error *err = NULL;
1416 	struct got_imsg_tag_object *itag;
1417 	uint8_t *buf;
1418 	size_t len, total;
1419 	size_t tag_len = strlen(tag->tag);
1420 	size_t tagger_len = strlen(tag->tagger);
1421 	size_t tagmsg_len = strlen(tag->tagmsg);
1422 
1423 	total = sizeof(*itag) + tag_len + tagger_len + tagmsg_len;
1424 
1425 	buf = malloc(total);
1426 	if (buf == NULL)
1427 		return got_error_from_errno("malloc");
1428 
1429 	itag = (struct got_imsg_tag_object *)buf;
1430 	memcpy(itag->id, tag->id.sha1, sizeof(itag->id));
1431 	itag->obj_type = tag->obj_type;
1432 	itag->tag_len = tag_len;
1433 	itag->tagger_len = tagger_len;
1434 	itag->tagger_time = tag->tagger_time;
1435 	itag->tagger_gmtoff = tag->tagger_gmtoff;
1436 	itag->tagmsg_len = tagmsg_len;
1437 
1438 	len = sizeof(*itag);
1439 	memcpy(buf + len, tag->tag, tag_len);
1440 	len += tag_len;
1441 	memcpy(buf + len, tag->tagger, tagger_len);
1442 	len += tagger_len;
1443 
1444 	if (imsg_compose(ibuf, GOT_IMSG_TAG, 0, 0, -1, buf, len) == -1) {
1445 		err = got_error_from_errno("imsg_compose TAG");
1446 		goto done;
1447 	}
1448 
1449 	if (tagmsg_len == 0 ||
1450 	    tagmsg_len + len > MAX_IMSGSIZE - IMSG_HEADER_SIZE) {
1451 		err = flush_imsg(ibuf);
1452 		if (err)
1453 			goto done;
1454 	}
1455 	err = send_tagmsg(ibuf, tag, tagmsg_len);
1456 done:
1457 	free(buf);
1458 	return err;
1459 }
1460 
1461 const struct got_error *
1462 got_privsep_recv_tag(struct got_tag_object **tag, struct imsgbuf *ibuf)
1463 {
1464 	const struct got_error *err = NULL;
1465 	struct imsg imsg;
1466 	struct got_imsg_tag_object *itag;
1467 	size_t len, datalen;
1468 	const size_t min_datalen =
1469 	    MIN(sizeof(struct got_imsg_error),
1470 	    sizeof(struct got_imsg_tag_object));
1471 
1472 	*tag = NULL;
1473 
1474 	err = got_privsep_recv_imsg(&imsg, ibuf, min_datalen);
1475 	if (err)
1476 		return err;
1477 
1478 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1479 	len = 0;
1480 
1481 	switch (imsg.hdr.type) {
1482 	case GOT_IMSG_TAG:
1483 		if (datalen < sizeof(*itag)) {
1484 			err = got_error(GOT_ERR_PRIVSEP_LEN);
1485 			break;
1486 		}
1487 		itag = imsg.data;
1488 		if (datalen != sizeof(*itag) + itag->tag_len +
1489 		    itag->tagger_len) {
1490 			err = got_error(GOT_ERR_PRIVSEP_LEN);
1491 			break;
1492 		}
1493 		len += sizeof(*itag);
1494 
1495 		*tag = calloc(1, sizeof(**tag));
1496 		if (*tag == NULL) {
1497 			err = got_error_from_errno("calloc");
1498 			break;
1499 		}
1500 
1501 		memcpy((*tag)->id.sha1, itag->id, SHA1_DIGEST_LENGTH);
1502 
1503 		if (itag->tag_len == 0) {
1504 			(*tag)->tag = strdup("");
1505 			if ((*tag)->tag == NULL) {
1506 				err = got_error_from_errno("strdup");
1507 				break;
1508 			}
1509 		} else {
1510 			(*tag)->tag = malloc(itag->tag_len + 1);
1511 			if ((*tag)->tag == NULL) {
1512 				err = got_error_from_errno("malloc");
1513 				break;
1514 			}
1515 			memcpy((*tag)->tag, imsg.data + len,
1516 			    itag->tag_len);
1517 			(*tag)->tag[itag->tag_len] = '\0';
1518 		}
1519 		len += itag->tag_len;
1520 
1521 		(*tag)->obj_type = itag->obj_type;
1522 		(*tag)->tagger_time = itag->tagger_time;
1523 		(*tag)->tagger_gmtoff = itag->tagger_gmtoff;
1524 
1525 		if (itag->tagger_len == 0) {
1526 			(*tag)->tagger = strdup("");
1527 			if ((*tag)->tagger == NULL) {
1528 				err = got_error_from_errno("strdup");
1529 				break;
1530 			}
1531 		} else {
1532 			(*tag)->tagger = malloc(itag->tagger_len + 1);
1533 			if ((*tag)->tagger == NULL) {
1534 				err = got_error_from_errno("malloc");
1535 				break;
1536 			}
1537 			memcpy((*tag)->tagger, imsg.data + len,
1538 			    itag->tagger_len);
1539 			(*tag)->tagger[itag->tagger_len] = '\0';
1540 		}
1541 		len += itag->tagger_len;
1542 
1543 		if (itag->tagmsg_len == 0) {
1544 			(*tag)->tagmsg = strdup("");
1545 			if ((*tag)->tagmsg == NULL) {
1546 				err = got_error_from_errno("strdup");
1547 				break;
1548 			}
1549 		} else {
1550 			size_t offset = 0, remain = itag->tagmsg_len;
1551 
1552 			(*tag)->tagmsg = malloc(itag->tagmsg_len + 1);
1553 			if ((*tag)->tagmsg == NULL) {
1554 				err = got_error_from_errno("malloc");
1555 				break;
1556 			}
1557 			while (remain > 0) {
1558 				struct imsg imsg_log;
1559 				size_t n = MIN(MAX_IMSGSIZE - IMSG_HEADER_SIZE,
1560 				    remain);
1561 
1562 				err = got_privsep_recv_imsg(&imsg_log, ibuf, n);
1563 				if (err)
1564 					return err;
1565 
1566 				if (imsg_log.hdr.type != GOT_IMSG_TAG_TAGMSG)
1567 					return got_error(GOT_ERR_PRIVSEP_MSG);
1568 
1569 				memcpy((*tag)->tagmsg + offset, imsg_log.data,
1570 				    n);
1571 				imsg_free(&imsg_log);
1572 				offset += n;
1573 				remain -= n;
1574 			}
1575 			(*tag)->tagmsg[itag->tagmsg_len] = '\0';
1576 		}
1577 
1578 		break;
1579 	default:
1580 		err = got_error(GOT_ERR_PRIVSEP_MSG);
1581 		break;
1582 	}
1583 
1584 	imsg_free(&imsg);
1585 
1586 	return err;
1587 }
1588 
1589 const struct got_error *
1590 got_privsep_init_pack_child(struct imsgbuf *ibuf, struct got_pack *pack,
1591     struct got_packidx *packidx)
1592 {
1593 	const struct got_error *err = NULL;
1594 	struct got_imsg_packidx ipackidx;
1595 	struct got_imsg_pack ipack;
1596 	int fd;
1597 
1598 	ipackidx.len = packidx->len;
1599 	fd = dup(packidx->fd);
1600 	if (fd == -1)
1601 		return got_error_from_errno("dup");
1602 
1603 	if (imsg_compose(ibuf, GOT_IMSG_PACKIDX, 0, 0, fd, &ipackidx,
1604 	    sizeof(ipackidx)) == -1) {
1605 		err = got_error_from_errno("imsg_compose PACKIDX");
1606 		close(fd);
1607 		return err;
1608 	}
1609 
1610 	if (strlcpy(ipack.path_packfile, pack->path_packfile,
1611 	    sizeof(ipack.path_packfile)) >= sizeof(ipack.path_packfile))
1612 		return got_error(GOT_ERR_NO_SPACE);
1613 	ipack.filesize = pack->filesize;
1614 
1615 	fd = dup(pack->fd);
1616 	if (fd == -1)
1617 		return got_error_from_errno("dup");
1618 
1619 	if (imsg_compose(ibuf, GOT_IMSG_PACK, 0, 0, fd, &ipack, sizeof(ipack))
1620 	    == -1) {
1621 		err = got_error_from_errno("imsg_compose PACK");
1622 		close(fd);
1623 		return err;
1624 	}
1625 
1626 	return flush_imsg(ibuf);
1627 }
1628 
1629 const struct got_error *
1630 got_privsep_send_packed_obj_req(struct imsgbuf *ibuf, int idx,
1631     struct got_object_id *id)
1632 {
1633 	struct got_imsg_packed_object iobj;
1634 
1635 	iobj.idx = idx;
1636 	memcpy(iobj.id, id->sha1, sizeof(iobj.id));
1637 
1638 	if (imsg_compose(ibuf, GOT_IMSG_PACKED_OBJECT_REQUEST, 0, 0, -1,
1639 	    &iobj, sizeof(iobj)) == -1)
1640 		return got_error_from_errno("imsg_compose "
1641 		    "PACKED_OBJECT_REQUEST");
1642 
1643 	return flush_imsg(ibuf);
1644 }
1645 
1646 const struct got_error *
1647 got_privsep_send_gitconfig_parse_req(struct imsgbuf *ibuf, int fd)
1648 {
1649 	const struct got_error *err = NULL;
1650 
1651 	if (imsg_compose(ibuf, GOT_IMSG_GITCONFIG_PARSE_REQUEST, 0, 0, fd,
1652 	    NULL, 0) == -1) {
1653 		err = got_error_from_errno("imsg_compose "
1654 		    "GITCONFIG_PARSE_REQUEST");
1655 		close(fd);
1656 		return err;
1657 	}
1658 
1659 	return flush_imsg(ibuf);
1660 }
1661 
1662 const struct got_error *
1663 got_privsep_send_gitconfig_repository_format_version_req(struct imsgbuf *ibuf)
1664 {
1665 	if (imsg_compose(ibuf,
1666 	    GOT_IMSG_GITCONFIG_REPOSITORY_FORMAT_VERSION_REQUEST, 0, 0, -1,
1667 	    NULL, 0) == -1)
1668 		return got_error_from_errno("imsg_compose "
1669 		    "GITCONFIG_REPOSITORY_FORMAT_VERSION_REQUEST");
1670 
1671 	return flush_imsg(ibuf);
1672 }
1673 
1674 const struct got_error *
1675 got_privsep_send_gitconfig_repository_extensions_req(struct imsgbuf *ibuf)
1676 {
1677 	if (imsg_compose(ibuf,
1678 	    GOT_IMSG_GITCONFIG_REPOSITORY_EXTENSIONS_REQUEST, 0, 0, -1,
1679 	    NULL, 0) == -1)
1680 		return got_error_from_errno("imsg_compose "
1681 		    "GITCONFIG_REPOSITORY_EXTENSIONS_REQUEST");
1682 
1683 	return flush_imsg(ibuf);
1684 }
1685 
1686 
1687 const struct got_error *
1688 got_privsep_send_gitconfig_author_name_req(struct imsgbuf *ibuf)
1689 {
1690 	if (imsg_compose(ibuf,
1691 	    GOT_IMSG_GITCONFIG_AUTHOR_NAME_REQUEST, 0, 0, -1, NULL, 0) == -1)
1692 		return got_error_from_errno("imsg_compose "
1693 		    "GITCONFIG_AUTHOR_NAME_REQUEST");
1694 
1695 	return flush_imsg(ibuf);
1696 }
1697 
1698 const struct got_error *
1699 got_privsep_send_gitconfig_author_email_req(struct imsgbuf *ibuf)
1700 {
1701 	if (imsg_compose(ibuf,
1702 	    GOT_IMSG_GITCONFIG_AUTHOR_EMAIL_REQUEST, 0, 0, -1, NULL, 0) == -1)
1703 		return got_error_from_errno("imsg_compose "
1704 		    "GITCONFIG_AUTHOR_EMAIL_REQUEST");
1705 
1706 	return flush_imsg(ibuf);
1707 }
1708 
1709 const struct got_error *
1710 got_privsep_send_gitconfig_remotes_req(struct imsgbuf *ibuf)
1711 {
1712 	if (imsg_compose(ibuf,
1713 	    GOT_IMSG_GITCONFIG_REMOTES_REQUEST, 0, 0, -1, NULL, 0) == -1)
1714 		return got_error_from_errno("imsg_compose "
1715 		    "GITCONFIG_REMOTE_REQUEST");
1716 
1717 	return flush_imsg(ibuf);
1718 }
1719 
1720 const struct got_error *
1721 got_privsep_send_gitconfig_owner_req(struct imsgbuf *ibuf)
1722 {
1723 	if (imsg_compose(ibuf,
1724 	    GOT_IMSG_GITCONFIG_OWNER_REQUEST, 0, 0, -1, NULL, 0) == -1)
1725 		return got_error_from_errno("imsg_compose "
1726 		    "GITCONFIG_OWNER_REQUEST");
1727 
1728 	return flush_imsg(ibuf);
1729 }
1730 
1731 const struct got_error *
1732 got_privsep_recv_gitconfig_str(char **str, struct imsgbuf *ibuf)
1733 {
1734 	const struct got_error *err = NULL;
1735 	struct imsg imsg;
1736 	size_t datalen;
1737 	const size_t min_datalen = 0;
1738 
1739 	*str = NULL;
1740 
1741 	err = got_privsep_recv_imsg(&imsg, ibuf, min_datalen);
1742 	if (err)
1743 		return err;
1744 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1745 
1746 	switch (imsg.hdr.type) {
1747 	case GOT_IMSG_GITCONFIG_STR_VAL:
1748 		if (datalen == 0)
1749 			break;
1750 		/* datalen does not include terminating \0 */
1751 		*str = malloc(datalen + 1);
1752 		if (*str == NULL) {
1753 			err = got_error_from_errno("malloc");
1754 			break;
1755 		}
1756 		memcpy(*str, imsg.data, datalen);
1757 		(*str)[datalen] = '\0';
1758 		break;
1759 	default:
1760 		err = got_error(GOT_ERR_PRIVSEP_MSG);
1761 		break;
1762 	}
1763 
1764 	imsg_free(&imsg);
1765 	return err;
1766 }
1767 
1768 const struct got_error *
1769 got_privsep_recv_gitconfig_int(int *val, struct imsgbuf *ibuf)
1770 {
1771 	const struct got_error *err = NULL;
1772 	struct imsg imsg;
1773 	size_t datalen;
1774 	const size_t min_datalen =
1775 	    MIN(sizeof(struct got_imsg_error), sizeof(int));
1776 
1777 	*val = 0;
1778 
1779 	err = got_privsep_recv_imsg(&imsg, ibuf, min_datalen);
1780 	if (err)
1781 		return err;
1782 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1783 
1784 	switch (imsg.hdr.type) {
1785 	case GOT_IMSG_GITCONFIG_INT_VAL:
1786 		if (datalen != sizeof(*val)) {
1787 			err = got_error(GOT_ERR_PRIVSEP_LEN);
1788 			break;
1789 		}
1790 		memcpy(val, imsg.data, sizeof(*val));
1791 		break;
1792 	default:
1793 		err = got_error(GOT_ERR_PRIVSEP_MSG);
1794 		break;
1795 	}
1796 
1797 	imsg_free(&imsg);
1798 	return err;
1799 }
1800 
1801 static void
1802 free_remote_data(struct got_remote_repo *remote)
1803 {
1804 	int i;
1805 
1806 	free(remote->name);
1807 	free(remote->url);
1808 	for (i = 0; i < remote->nbranches; i++)
1809 		free(remote->branches[i]);
1810 	free(remote->branches);
1811 	for (i = 0; i < remote->nrefs; i++)
1812 		free(remote->refs[i]);
1813 	free(remote->refs);
1814 }
1815 
1816 const struct got_error *
1817 got_privsep_recv_gitconfig_remotes(struct got_remote_repo **remotes,
1818     int *nremotes, struct imsgbuf *ibuf)
1819 {
1820 	const struct got_error *err = NULL;
1821 	struct imsg imsg;
1822 	size_t datalen;
1823 	struct got_imsg_remotes iremotes;
1824 	struct got_imsg_remote iremote;
1825 
1826 	*remotes = NULL;
1827 	*nremotes = 0;
1828 	iremotes.nremotes = 0;
1829 
1830 	err = got_privsep_recv_imsg(&imsg, ibuf, sizeof(iremotes));
1831 	if (err)
1832 		return err;
1833 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1834 
1835 	switch (imsg.hdr.type) {
1836 	case GOT_IMSG_GITCONFIG_REMOTES:
1837 		if (datalen != sizeof(iremotes)) {
1838 			err = got_error(GOT_ERR_PRIVSEP_LEN);
1839 			break;
1840 		}
1841 		memcpy(&iremotes, imsg.data, sizeof(iremotes));
1842 		if (iremotes.nremotes == 0) {
1843 			imsg_free(&imsg);
1844 			return NULL;
1845 		}
1846 		break;
1847 	default:
1848 		imsg_free(&imsg);
1849 		return got_error(GOT_ERR_PRIVSEP_MSG);
1850 	}
1851 
1852 	imsg_free(&imsg);
1853 
1854 	*remotes = recallocarray(NULL, 0, iremotes.nremotes, sizeof(**remotes));
1855 	if (*remotes == NULL)
1856 		return got_error_from_errno("recallocarray");
1857 
1858 	while (*nremotes < iremotes.nremotes) {
1859 		struct got_remote_repo *remote;
1860 
1861 		err = got_privsep_recv_imsg(&imsg, ibuf, sizeof(iremote));
1862 		if (err)
1863 			break;
1864 		datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1865 
1866 		switch (imsg.hdr.type) {
1867 		case GOT_IMSG_GITCONFIG_REMOTE:
1868 			remote = &(*remotes)[*nremotes];
1869 			memset(remote, 0, sizeof(*remote));
1870 			if (datalen < sizeof(iremote)) {
1871 				err = got_error(GOT_ERR_PRIVSEP_LEN);
1872 				break;
1873 			}
1874 			memcpy(&iremote, imsg.data, sizeof(iremote));
1875 			if (iremote.name_len == 0 || iremote.url_len == 0 ||
1876 			    (sizeof(iremote) + iremote.name_len +
1877 			    iremote.url_len) > datalen) {
1878 				err = got_error(GOT_ERR_PRIVSEP_LEN);
1879 				break;
1880 			}
1881 			remote->name = strndup(imsg.data + sizeof(iremote),
1882 			    iremote.name_len);
1883 			if (remote->name == NULL) {
1884 				err = got_error_from_errno("strndup");
1885 				break;
1886 			}
1887 			remote->url = strndup(imsg.data + sizeof(iremote) +
1888 			    iremote.name_len, iremote.url_len);
1889 			if (remote->url == NULL) {
1890 				err = got_error_from_errno("strndup");
1891 				free_remote_data(remote);
1892 				break;
1893 			}
1894 			remote->mirror_references = iremote.mirror_references;
1895 			remote->fetch_all_branches = iremote.fetch_all_branches;
1896 			remote->nbranches = 0;
1897 			remote->branches = NULL;
1898 			remote->nrefs = 0;
1899 			remote->refs = NULL;
1900 			(*nremotes)++;
1901 			break;
1902 		default:
1903 			err = got_error(GOT_ERR_PRIVSEP_MSG);
1904 			break;
1905 		}
1906 
1907 		imsg_free(&imsg);
1908 		if (err)
1909 			break;
1910 	}
1911 
1912 	if (err) {
1913 		int i;
1914 		for (i = 0; i < *nremotes; i++)
1915 			free_remote_data(&(*remotes)[i]);
1916 		free(*remotes);
1917 		*remotes = NULL;
1918 		*nremotes = 0;
1919 	}
1920 	return err;
1921 }
1922 
1923 const struct got_error *
1924 got_privsep_send_gotconfig_parse_req(struct imsgbuf *ibuf, int fd)
1925 {
1926 	const struct got_error *err = NULL;
1927 
1928 	if (imsg_compose(ibuf, GOT_IMSG_GOTCONFIG_PARSE_REQUEST, 0, 0, fd,
1929 	    NULL, 0) == -1) {
1930 		err = got_error_from_errno("imsg_compose "
1931 		    "GOTCONFIG_PARSE_REQUEST");
1932 		close(fd);
1933 		return err;
1934 	}
1935 
1936 	return flush_imsg(ibuf);
1937 }
1938 
1939 const struct got_error *
1940 got_privsep_send_gotconfig_author_req(struct imsgbuf *ibuf)
1941 {
1942 	if (imsg_compose(ibuf,
1943 	    GOT_IMSG_GOTCONFIG_AUTHOR_REQUEST, 0, 0, -1, NULL, 0) == -1)
1944 		return got_error_from_errno("imsg_compose "
1945 		    "GOTCONFIG_AUTHOR_REQUEST");
1946 
1947 	return flush_imsg(ibuf);
1948 }
1949 
1950 const struct got_error *
1951 got_privsep_send_gotconfig_remotes_req(struct imsgbuf *ibuf)
1952 {
1953 	if (imsg_compose(ibuf,
1954 	    GOT_IMSG_GOTCONFIG_REMOTES_REQUEST, 0, 0, -1, NULL, 0) == -1)
1955 		return got_error_from_errno("imsg_compose "
1956 		    "GOTCONFIG_REMOTE_REQUEST");
1957 
1958 	return flush_imsg(ibuf);
1959 }
1960 
1961 const struct got_error *
1962 got_privsep_recv_gotconfig_str(char **str, struct imsgbuf *ibuf)
1963 {
1964 	const struct got_error *err = NULL;
1965 	struct imsg imsg;
1966 	size_t datalen;
1967 	const size_t min_datalen = 0;
1968 
1969 	*str = NULL;
1970 
1971 	err = got_privsep_recv_imsg(&imsg, ibuf, min_datalen);
1972 	if (err)
1973 		return err;
1974 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
1975 
1976 	switch (imsg.hdr.type) {
1977 	case GOT_IMSG_ERROR:
1978 		if (datalen < sizeof(struct got_imsg_error)) {
1979 			err = got_error(GOT_ERR_PRIVSEP_LEN);
1980 			break;
1981 		}
1982 		err = recv_imsg_error(&imsg, datalen);
1983 		break;
1984 	case GOT_IMSG_GOTCONFIG_STR_VAL:
1985 		if (datalen == 0)
1986 			break;
1987 		/* datalen does not include terminating \0 */
1988 		*str = malloc(datalen + 1);
1989 		if (*str == NULL) {
1990 			err = got_error_from_errno("malloc");
1991 			break;
1992 		}
1993 		memcpy(*str, imsg.data, datalen);
1994 		(*str)[datalen] = '\0';
1995 		break;
1996 	default:
1997 		err = got_error(GOT_ERR_PRIVSEP_MSG);
1998 		break;
1999 	}
2000 
2001 	imsg_free(&imsg);
2002 	return err;
2003 }
2004 
2005 
2006 const struct got_error *
2007 got_privsep_recv_gotconfig_remotes(struct got_remote_repo **remotes,
2008     int *nremotes, struct imsgbuf *ibuf)
2009 {
2010 	const struct got_error *err = NULL;
2011 	struct imsg imsg;
2012 	size_t datalen;
2013 	struct got_imsg_remotes iremotes;
2014 	struct got_imsg_remote iremote;
2015 	const size_t min_datalen =
2016 	    MIN(sizeof(struct got_imsg_error), sizeof(iremotes));
2017 
2018 	*remotes = NULL;
2019 	*nremotes = 0;
2020 	iremotes.nremotes = 0;
2021 
2022 	err = got_privsep_recv_imsg(&imsg, ibuf, min_datalen);
2023 	if (err)
2024 		return err;
2025 	datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
2026 
2027 	switch (imsg.hdr.type) {
2028 	case GOT_IMSG_ERROR:
2029 		if (datalen < sizeof(struct got_imsg_error)) {
2030 			err = got_error(GOT_ERR_PRIVSEP_LEN);
2031 			break;
2032 		}
2033 		err = recv_imsg_error(&imsg, datalen);
2034 		break;
2035 	case GOT_IMSG_GOTCONFIG_REMOTES:
2036 		if (datalen != sizeof(iremotes)) {
2037 			err = got_error(GOT_ERR_PRIVSEP_LEN);
2038 			break;
2039 		}
2040 		memcpy(&iremotes, imsg.data, sizeof(iremotes));
2041 		if (iremotes.nremotes == 0) {
2042 			imsg_free(&imsg);
2043 			return NULL;
2044 		}
2045 		break;
2046 	default:
2047 		imsg_free(&imsg);
2048 		return got_error(GOT_ERR_PRIVSEP_MSG);
2049 	}
2050 
2051 	imsg_free(&imsg);
2052 
2053 	*remotes = recallocarray(NULL, 0, iremotes.nremotes, sizeof(**remotes));
2054 	if (*remotes == NULL)
2055 		return got_error_from_errno("recallocarray");
2056 
2057 	while (*nremotes < iremotes.nremotes) {
2058 		struct got_remote_repo *remote;
2059 		const size_t min_datalen =
2060 		    MIN(sizeof(struct got_imsg_error), sizeof(iremote));
2061 		int i;
2062 
2063 		err = got_privsep_recv_imsg(&imsg, ibuf, min_datalen);
2064 		if (err)
2065 			break;
2066 		datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
2067 
2068 		switch (imsg.hdr.type) {
2069 		case GOT_IMSG_ERROR:
2070 			if (datalen < sizeof(struct got_imsg_error)) {
2071 				err = got_error(GOT_ERR_PRIVSEP_LEN);
2072 				break;
2073 			}
2074 			err = recv_imsg_error(&imsg, datalen);
2075 			break;
2076 		case GOT_IMSG_GOTCONFIG_REMOTE:
2077 			remote = &(*remotes)[*nremotes];
2078 			memset(remote, 0, sizeof(*remote));
2079 			if (datalen < sizeof(iremote)) {
2080 				err = got_error(GOT_ERR_PRIVSEP_LEN);
2081 				break;
2082 			}
2083 			memcpy(&iremote, imsg.data, sizeof(iremote));
2084 			if (iremote.name_len == 0 || iremote.url_len == 0 ||
2085 			    (sizeof(iremote) + iremote.name_len +
2086 			    iremote.url_len) > datalen) {
2087 				err = got_error(GOT_ERR_PRIVSEP_LEN);
2088 				break;
2089 			}
2090 			remote->name = strndup(imsg.data + sizeof(iremote),
2091 			    iremote.name_len);
2092 			if (remote->name == NULL) {
2093 				err = got_error_from_errno("strndup");
2094 				break;
2095 			}
2096 			remote->url = strndup(imsg.data + sizeof(iremote) +
2097 			    iremote.name_len, iremote.url_len);
2098 			if (remote->url == NULL) {
2099 				err = got_error_from_errno("strndup");
2100 				free_remote_data(remote);
2101 				break;
2102 			}
2103 			remote->mirror_references = iremote.mirror_references;
2104 			remote->fetch_all_branches = iremote.fetch_all_branches;
2105 			if (iremote.nbranches > 0) {
2106 				remote->branches = recallocarray(NULL, 0,
2107 				    iremote.nbranches, sizeof(char *));
2108 				if (remote->branches == NULL) {
2109 					err = got_error_from_errno("calloc");
2110 					free_remote_data(remote);
2111 					break;
2112 				}
2113 			}
2114 			remote->nbranches = 0;
2115 			for (i = 0; i < iremote.nbranches; i++) {
2116 				char *branch;
2117 				err = got_privsep_recv_gotconfig_str(&branch,
2118 				    ibuf);
2119 				if (err) {
2120 					free_remote_data(remote);
2121 					goto done;
2122 				}
2123 				remote->branches[i] = branch;
2124 				remote->nbranches++;
2125 			}
2126 			if (iremote.nrefs > 0) {
2127 				remote->refs = recallocarray(NULL, 0,
2128 				    iremote.nrefs, sizeof(char *));
2129 				if (remote->refs == NULL) {
2130 					err = got_error_from_errno("calloc");
2131 					free_remote_data(remote);
2132 					break;
2133 				}
2134 			}
2135 			remote->nrefs = 0;
2136 			for (i = 0; i < iremote.nrefs; i++) {
2137 				char *ref;
2138 				err = got_privsep_recv_gotconfig_str(&ref,
2139 				    ibuf);
2140 				if (err) {
2141 					free_remote_data(remote);
2142 					goto done;
2143 				}
2144 				remote->refs[i] = ref;
2145 				remote->nrefs++;
2146 			}
2147 			(*nremotes)++;
2148 			break;
2149 		default:
2150 			err = got_error(GOT_ERR_PRIVSEP_MSG);
2151 			break;
2152 		}
2153 
2154 		imsg_free(&imsg);
2155 		if (err)
2156 			break;
2157 	}
2158 done:
2159 	if (err) {
2160 		int i;
2161 		for (i = 0; i < *nremotes; i++)
2162 			free_remote_data(&(*remotes)[i]);
2163 		free(*remotes);
2164 		*remotes = NULL;
2165 		*nremotes = 0;
2166 	}
2167 	return err;
2168 }
2169 
2170 const struct got_error *
2171 got_privsep_send_commit_traversal_request(struct imsgbuf *ibuf,
2172      struct got_object_id *id, int idx, const char *path)
2173 {
2174 	const struct got_error *err = NULL;
2175 	struct ibuf *wbuf;
2176 	size_t path_len = strlen(path) + 1;
2177 
2178 	wbuf = imsg_create(ibuf, GOT_IMSG_COMMIT_TRAVERSAL_REQUEST, 0, 0,
2179 	    sizeof(struct got_imsg_commit_traversal_request) + path_len);
2180 	if (wbuf == NULL)
2181 		return got_error_from_errno(
2182 		    "imsg_create COMMIT_TRAVERSAL_REQUEST");
2183 	if (imsg_add(wbuf, id->sha1, SHA1_DIGEST_LENGTH) == -1) {
2184 		err = got_error_from_errno("imsg_add COMMIT_TRAVERSAL_REQUEST");
2185 		ibuf_free(wbuf);
2186 		return err;
2187 	}
2188 	if (imsg_add(wbuf, &idx, sizeof(idx)) == -1) {
2189 		err = got_error_from_errno("imsg_add COMMIT_TRAVERSAL_REQUEST");
2190 		ibuf_free(wbuf);
2191 		return err;
2192 	}
2193 	if (imsg_add(wbuf, path, path_len) == -1) {
2194 		err = got_error_from_errno("imsg_add COMMIT_TRAVERSAL_REQUEST");
2195 		ibuf_free(wbuf);
2196 		return err;
2197 	}
2198 
2199 	wbuf->fd = -1;
2200 	imsg_close(ibuf, wbuf);
2201 
2202 	return flush_imsg(ibuf);
2203 }
2204 
2205 const struct got_error *
2206 got_privsep_recv_traversed_commits(struct got_commit_object **changed_commit,
2207     struct got_object_id **changed_commit_id,
2208     struct got_object_id_queue *commit_ids, struct imsgbuf *ibuf)
2209 {
2210 	const struct got_error *err = NULL;
2211 	struct imsg imsg;
2212 	struct got_imsg_traversed_commits *icommits;
2213 	size_t datalen;
2214 	int i, done = 0;
2215 
2216 	*changed_commit = NULL;
2217 	*changed_commit_id = NULL;
2218 
2219 	while (!done) {
2220 		err = got_privsep_recv_imsg(&imsg, ibuf, 0);
2221 		if (err)
2222 			return err;
2223 
2224 		datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
2225 		switch (imsg.hdr.type) {
2226 		case GOT_IMSG_TRAVERSED_COMMITS:
2227 			icommits = imsg.data;
2228 			if (datalen != sizeof(*icommits) +
2229 			    icommits->ncommits * SHA1_DIGEST_LENGTH) {
2230 				err = got_error(GOT_ERR_PRIVSEP_LEN);
2231 				break;
2232 			}
2233 			for (i = 0; i < icommits->ncommits; i++) {
2234 				struct got_object_qid *qid;
2235 				uint8_t *sha1 = (uint8_t *)imsg.data +
2236 				    sizeof(*icommits) + i * SHA1_DIGEST_LENGTH;
2237 				err = got_object_qid_alloc_partial(&qid);
2238 				if (err)
2239 					break;
2240 				memcpy(qid->id->sha1, sha1, SHA1_DIGEST_LENGTH);
2241 				SIMPLEQ_INSERT_TAIL(commit_ids, qid, entry);
2242 
2243 				/* The last commit may contain a change. */
2244 				if (i == icommits->ncommits - 1) {
2245 					*changed_commit_id =
2246 					    got_object_id_dup(qid->id);
2247 					if (*changed_commit_id == NULL) {
2248 						err = got_error_from_errno(
2249 						    "got_object_id_dup");
2250 						break;
2251 					}
2252 				}
2253 			}
2254 			break;
2255 		case GOT_IMSG_COMMIT:
2256 			if (*changed_commit_id == NULL) {
2257 				err = got_error(GOT_ERR_PRIVSEP_MSG);
2258 				break;
2259 			}
2260 			err = get_commit_from_imsg(changed_commit, &imsg,
2261 			    datalen, ibuf);
2262 			break;
2263 		case GOT_IMSG_COMMIT_TRAVERSAL_DONE:
2264 			done = 1;
2265 			break;
2266 		default:
2267 			err = got_error(GOT_ERR_PRIVSEP_MSG);
2268 			break;
2269 		}
2270 
2271 		imsg_free(&imsg);
2272 		if (err)
2273 			break;
2274 	}
2275 
2276 	if (err)
2277 		got_object_id_queue_free(commit_ids);
2278 	return err;
2279 }
2280 
2281 const struct got_error *
2282 got_privsep_unveil_exec_helpers(void)
2283 {
2284 	const char *helpers[] = {
2285 	    GOT_PATH_PROG_READ_PACK,
2286 	    GOT_PATH_PROG_READ_OBJECT,
2287 	    GOT_PATH_PROG_READ_COMMIT,
2288 	    GOT_PATH_PROG_READ_TREE,
2289 	    GOT_PATH_PROG_READ_BLOB,
2290 	    GOT_PATH_PROG_READ_TAG,
2291 	    GOT_PATH_PROG_READ_GITCONFIG,
2292 	    GOT_PATH_PROG_READ_GOTCONFIG,
2293 	    GOT_PATH_PROG_FETCH_PACK,
2294 	    GOT_PATH_PROG_INDEX_PACK,
2295 	};
2296 	size_t i;
2297 
2298 	for (i = 0; i < nitems(helpers); i++) {
2299 		if (unveil(helpers[i], "x") == 0)
2300 			continue;
2301 		return got_error_from_errno2("unveil", helpers[i]);
2302 	}
2303 
2304 	return NULL;
2305 }
2306 
2307 void
2308 got_privsep_exec_child(int imsg_fds[2], const char *path, const char *repo_path)
2309 {
2310 	if (close(imsg_fds[0]) == -1) {
2311 		fprintf(stderr, "%s: %s\n", getprogname(), strerror(errno));
2312 		_exit(1);
2313 	}
2314 
2315 	if (dup2(imsg_fds[1], GOT_IMSG_FD_CHILD) == -1) {
2316 		fprintf(stderr, "%s: %s\n", getprogname(), strerror(errno));
2317 		_exit(1);
2318 	}
2319 	if (closefrom(GOT_IMSG_FD_CHILD + 1) == -1) {
2320 		fprintf(stderr, "%s: %s\n", getprogname(), strerror(errno));
2321 		_exit(1);
2322 	}
2323 
2324 	if (execl(path, path, repo_path, (char *)NULL) == -1) {
2325 		fprintf(stderr, "%s: %s: %s\n", getprogname(), path,
2326 		    strerror(errno));
2327 		_exit(1);
2328 	}
2329 }