1 /*
2  * Copyright (c) 2018 Stefan Sperling <stsp@openbsd.org>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include <sys/types.h>
18 #include <sys/stat.h>
19 #include <sys/queue.h>
20 #include <sys/uio.h>
21 #include <sys/socket.h>
22 #include <sys/syslimits.h>
23 #include <sys/wait.h>
24 
25 #include <errno.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <stdint.h>
30 #include <sha1.h>
31 #include <zlib.h>
32 #include <ctype.h>
33 #include <limits.h>
34 #include <imsg.h>
35 #include <time.h>
36 #include <unistd.h>
37 
38 #include "got_error.h"
39 #include "got_object.h"
40 #include "got_repository.h"
41 #include "got_opentemp.h"
42 
43 #include "got_lib_sha1.h"
44 #include "got_lib_delta.h"
45 #include "got_lib_privsep.h"
46 #include "got_lib_pack.h"
47 #include "got_lib_inflate.h"
48 #include "got_lib_object.h"
49 #include "got_lib_object_cache.h"
50 #include "got_lib_repository.h"
51 
52 #ifndef nitems
53 #define nitems(_a) (sizeof(_a) / sizeof((_a)[0]))
54 #endif
55 
56 #define GOT_OBJ_TAG_COMMIT	"commit"
57 #define GOT_OBJ_TAG_TREE	"tree"
58 #define GOT_OBJ_TAG_BLOB	"blob"
59 
60 #define GOT_COMMIT_TAG_TREE		"tree "
61 #define GOT_COMMIT_TAG_PARENT		"parent "
62 #define GOT_COMMIT_TAG_AUTHOR		"author "
63 #define GOT_COMMIT_TAG_COMMITTER	"committer "
64 
65 void
66 got_object_close(struct got_object *obj)
67 {
68 	if (obj->refcnt > 0) {
69 		obj->refcnt--;
70 		if (obj->refcnt > 0)
71 			return;
72 	}
73 
74 	if (obj->flags & GOT_OBJ_FLAG_DELTIFIED) {
75 		struct got_delta *delta;
76 		while (!SIMPLEQ_EMPTY(&obj->deltas.entries)) {
77 			delta = SIMPLEQ_FIRST(&obj->deltas.entries);
78 			SIMPLEQ_REMOVE_HEAD(&obj->deltas.entries, entry);
79 			got_delta_close(delta);
80 		}
81 	}
82 	if (obj->flags & GOT_OBJ_FLAG_PACKED)
83 		free(obj->path_packfile);
84 	free(obj);
85 }
86 
87 void
88 got_object_qid_free(struct got_object_qid *qid)
89 {
90 	free(qid->id);
91 	free(qid);
92 }
93 
94 static const struct got_error *
95 request_object(struct got_object **obj, struct got_repository *repo, int fd)
96 {
97 	const struct got_error *err = NULL;
98 	struct imsgbuf *ibuf;
99 
100 	ibuf = repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_OBJECT].ibuf;
101 
102 	err = got_privsep_send_obj_req(ibuf, fd, NULL);
103 	if (err)
104 		return err;
105 
106 	return got_privsep_recv_obj(obj, ibuf);
107 }
108 
109 static void
110 exec_privsep_child(int imsg_fds[2], const char *path, const char *repo_path)
111 {
112 	close(imsg_fds[0]);
113 
114 	if (dup2(imsg_fds[1], GOT_IMSG_FD_CHILD) == -1) {
115 		fprintf(stderr, "%s: %s\n", getprogname(),
116 		    strerror(errno));
117 		_exit(1);
118 	}
119 	if (closefrom(GOT_IMSG_FD_CHILD + 1) == -1) {
120 		fprintf(stderr, "%s: %s\n", getprogname(),
121 		    strerror(errno));
122 		_exit(1);
123 	}
124 
125 	if (execl(path, path, repo_path, (char *)NULL) == -1) {
126 		fprintf(stderr, "%s: %s: %s\n", getprogname(), path,
127 		    strerror(errno));
128 		_exit(1);
129 	}
130 }
131 
132 const struct got_error *
133 got_object_read_header_privsep(struct got_object **obj,
134     struct got_repository *repo, int obj_fd)
135 {
136 	int imsg_fds[2];
137 	pid_t pid;
138 	struct imsgbuf *ibuf;
139 
140 	if (repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_OBJECT].imsg_fd != -1)
141 		return request_object(obj, repo, obj_fd);
142 
143 	ibuf = calloc(1, sizeof(*ibuf));
144 	if (ibuf == NULL)
145 		return got_error_from_errno();
146 
147 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, imsg_fds) == -1)
148 		return got_error_from_errno();
149 
150 	pid = fork();
151 	if (pid == -1)
152 		return got_error_from_errno();
153 	else if (pid == 0) {
154 		exec_privsep_child(imsg_fds, GOT_PATH_PROG_READ_OBJECT,
155 		    repo->path);
156 		/* not reached */
157 	}
158 
159 	close(imsg_fds[1]);
160 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_OBJECT].imsg_fd =
161 	    imsg_fds[0];
162 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_OBJECT].pid = pid;
163 	imsg_init(ibuf, imsg_fds[0]);
164 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_OBJECT].ibuf = ibuf;
165 
166 	return request_object(obj, repo, obj_fd);
167 }
168 
169 static const struct got_error *
170 request_packed_object(struct got_object **obj, struct got_pack *pack, int idx,
171     struct got_object_id *id)
172 {
173 	const struct got_error *err = NULL;
174 	struct imsgbuf *ibuf = pack->privsep_child->ibuf;
175 
176 	err = got_privsep_send_packed_obj_req(ibuf, idx);
177 	if (err)
178 		return err;
179 
180 	err = got_privsep_recv_obj(obj, ibuf);
181 	if (err)
182 		return err;
183 
184 	(*obj)->path_packfile = strdup(pack->path_packfile);
185 	if ((*obj)->path_packfile == NULL) {
186 		err = got_error_from_errno();
187 		return err;
188 	}
189 	memcpy(&(*obj)->id, id, sizeof((*obj)->id));
190 
191 	return NULL;
192 }
193 
194 const struct got_error *
195 got_object_packed_read_privsep(struct got_object **obj,
196     struct got_repository *repo, struct got_pack *pack,
197     struct got_packidx *packidx, int idx, struct got_object_id *id)
198 {
199 	const struct got_error *err = NULL;
200 	int imsg_fds[2];
201 	pid_t pid;
202 	struct imsgbuf *ibuf;
203 
204 	if (pack->privsep_child)
205 		return request_packed_object(obj, pack, idx, id);
206 
207 	ibuf = calloc(1, sizeof(*ibuf));
208 	if (ibuf == NULL)
209 		return got_error_from_errno();
210 
211 	pack->privsep_child = calloc(1, sizeof(*pack->privsep_child));
212 	if (pack->privsep_child == NULL) {
213 		err = got_error_from_errno();
214 		free(ibuf);
215 		return err;
216 	}
217 
218 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, imsg_fds) == -1) {
219 		err = got_error_from_errno();
220 		goto done;
221 	}
222 
223 	pid = fork();
224 	if (pid == -1) {
225 		err = got_error_from_errno();
226 		goto done;
227 	} else if (pid == 0) {
228 		exec_privsep_child(imsg_fds, GOT_PATH_PROG_READ_PACK,
229 		    pack->path_packfile);
230 		/* not reached */
231 	}
232 
233 	close(imsg_fds[1]);
234 	pack->privsep_child->imsg_fd = imsg_fds[0];
235 	pack->privsep_child->pid = pid;
236 	imsg_init(ibuf, imsg_fds[0]);
237 	pack->privsep_child->ibuf = ibuf;
238 
239 	err = got_privsep_init_pack_child(ibuf, pack, packidx);
240 	if (err) {
241 		const struct got_error *child_err;
242 		err = got_privsep_send_stop(pack->privsep_child->imsg_fd);
243 		child_err = got_privsep_wait_for_child(
244 		    pack->privsep_child->pid);
245 		if (child_err && err == NULL)
246 			err = child_err;
247 		free(ibuf);
248 		free(pack->privsep_child);
249 		pack->privsep_child = NULL;
250 		return err;
251 	}
252 
253 done:
254 	if (err) {
255 		free(ibuf);
256 		free(pack->privsep_child);
257 		pack->privsep_child = NULL;
258 	} else
259 		err = request_packed_object(obj, pack, idx, id);
260 	return err;
261 }
262 
263 struct got_commit_object *
264 got_object_commit_alloc_partial(void)
265 {
266 	struct got_commit_object *commit;
267 
268 	commit = calloc(1, sizeof(*commit));
269 	if (commit == NULL)
270 		return NULL;
271 	commit->tree_id = calloc(1, sizeof(*commit->tree_id));
272 	if (commit->tree_id == NULL) {
273 		free(commit);
274 		return NULL;
275 	}
276 
277 	SIMPLEQ_INIT(&commit->parent_ids);
278 
279 	return commit;
280 }
281 
282 const struct got_error *
283 got_object_commit_add_parent(struct got_commit_object *commit,
284     const char *id_str)
285 {
286 	const struct got_error *err = NULL;
287 	struct got_object_qid *qid;
288 
289 	qid = malloc(sizeof(*qid));
290 	if (qid == NULL)
291 		return got_error_from_errno();
292 
293 	qid->id = malloc(sizeof(*qid->id));
294 	if (qid->id == NULL) {
295 		err = got_error_from_errno();
296 		got_object_qid_free(qid);
297 		return err;
298 	}
299 
300 	if (!got_parse_sha1_digest(qid->id->sha1, id_str)) {
301 		err = got_error(GOT_ERR_BAD_OBJ_DATA);
302 		free(qid->id);
303 		free(qid);
304 		return err;
305 	}
306 
307 	SIMPLEQ_INSERT_TAIL(&commit->parent_ids, qid, entry);
308 	commit->nparents++;
309 
310 	return NULL;
311 }
312 
313 static const struct got_error *
314 parse_gmtoff(time_t *gmtoff, const char *tzstr)
315 {
316 	int sign = 1;
317 	const char *p = tzstr;
318 	time_t h, m;
319 
320 	*gmtoff = 0;
321 
322 	if (*p == '-')
323 		sign = -1;
324 	else if (*p != '+')
325 		return got_error(GOT_ERR_BAD_OBJ_DATA);
326 	p++;
327 	if (!isdigit(*p) && !isdigit(*(p + 1)))
328 		return got_error(GOT_ERR_BAD_OBJ_DATA);
329 	h = (((*p - '0') * 10) + (*(p + 1) - '0'));
330 
331 	p += 2;
332 	if (!isdigit(*p) && !isdigit(*(p + 1)))
333 		return got_error(GOT_ERR_BAD_OBJ_DATA);
334 	m = ((*p - '0') * 10) + (*(p + 1) - '0');
335 
336 	*gmtoff = (h * 60 * 60 + m * 60) * sign;
337 	return NULL;
338 }
339 
340 static const struct got_error *
341 parse_commit_time(struct tm *tm, char *committer)
342 {
343 	const struct got_error *err = NULL;
344 	const char *errstr;
345 	char *space, *tzstr;
346 	time_t gmtoff;
347 	time_t time;
348 
349 	/* Parse and strip off trailing timezone indicator string. */
350 	space = strrchr(committer, ' ');
351 	if (space == NULL)
352 		return got_error(GOT_ERR_BAD_OBJ_DATA);
353 	tzstr = strdup(space + 1);
354 	if (tzstr == NULL)
355 		return got_error_from_errno();
356 	err = parse_gmtoff(&gmtoff, tzstr);
357 	free(tzstr);
358 	if (err)
359 		return err;
360 	*space = '\0';
361 
362 	/* Timestamp is separated from committer name + email by space. */
363 	space = strrchr(committer, ' ');
364 	if (space == NULL)
365 		return got_error(GOT_ERR_BAD_OBJ_DATA);
366 
367 	/* Timestamp parsed here is expressed in comitter's local time. */
368 	time = strtonum(space + 1, 0, INT64_MAX, &errstr);
369 	if (errstr)
370 		return got_error(GOT_ERR_BAD_OBJ_DATA);
371 
372 	/* Express the time stamp in UTC. */
373 	memset(tm, 0, sizeof(*tm));
374 	time -= gmtoff;
375 	if (localtime_r(&time, tm) == NULL)
376 		return got_error_from_errno();
377 	tm->tm_gmtoff = gmtoff;
378 
379 	/* Strip off parsed time information, leaving just author and email. */
380 	*space = '\0';
381 
382 	return NULL;
383 }
384 
385 void
386 got_object_commit_close(struct got_commit_object *commit)
387 {
388 	struct got_object_qid *qid;
389 
390 	if (commit->refcnt > 0) {
391 		commit->refcnt--;
392 		if (commit->refcnt > 0)
393 			return;
394 	}
395 
396 	while (!SIMPLEQ_EMPTY(&commit->parent_ids)) {
397 		qid = SIMPLEQ_FIRST(&commit->parent_ids);
398 		SIMPLEQ_REMOVE_HEAD(&commit->parent_ids, entry);
399 		got_object_qid_free(qid);
400 	}
401 
402 	free(commit->tree_id);
403 	free(commit->author);
404 	free(commit->committer);
405 	free(commit->logmsg);
406 	free(commit);
407 }
408 
409 const struct got_error *
410 got_object_parse_commit(struct got_commit_object **commit, char *buf, size_t len)
411 {
412 	const struct got_error *err = NULL;
413 	char *s = buf;
414 	size_t tlen;
415 	ssize_t remain = (ssize_t)len;
416  
417 	*commit = got_object_commit_alloc_partial();
418 	if (*commit == NULL)
419 		return got_error_from_errno();
420 
421 	tlen = strlen(GOT_COMMIT_TAG_TREE);
422 	if (strncmp(s, GOT_COMMIT_TAG_TREE, tlen) == 0) {
423 		remain -= tlen;
424 		if (remain < SHA1_DIGEST_STRING_LENGTH) {
425 			err = got_error(GOT_ERR_BAD_OBJ_DATA);
426 			goto done;
427 		}
428 		s += tlen;
429 		if (!got_parse_sha1_digest((*commit)->tree_id->sha1, s)) {
430 			err = got_error(GOT_ERR_BAD_OBJ_DATA);
431 			goto done;
432 		}
433 		remain -= SHA1_DIGEST_STRING_LENGTH;
434 		s += SHA1_DIGEST_STRING_LENGTH;
435 	} else {
436 		err = got_error(GOT_ERR_BAD_OBJ_DATA);
437 		goto done;
438 	}
439 
440 	tlen = strlen(GOT_COMMIT_TAG_PARENT);
441 	while (strncmp(s, GOT_COMMIT_TAG_PARENT, tlen) == 0) {
442 		remain -= tlen;
443 		if (remain < SHA1_DIGEST_STRING_LENGTH) {
444 			err = got_error(GOT_ERR_BAD_OBJ_DATA);
445 			goto done;
446 		}
447 		s += tlen;
448 		err = got_object_commit_add_parent(*commit, s);
449 		if (err)
450 			goto done;
451 
452 		remain -= SHA1_DIGEST_STRING_LENGTH;
453 		s += SHA1_DIGEST_STRING_LENGTH;
454 	}
455 
456 	tlen = strlen(GOT_COMMIT_TAG_AUTHOR);
457 	if (strncmp(s, GOT_COMMIT_TAG_AUTHOR, tlen) == 0) {
458 		char *p;
459 		size_t slen;
460 
461 		remain -= tlen;
462 		if (remain <= 0) {
463 			err = got_error(GOT_ERR_BAD_OBJ_DATA);
464 			goto done;
465 		}
466 		s += tlen;
467 		p = strchr(s, '\n');
468 		if (p == NULL) {
469 			err = got_error(GOT_ERR_BAD_OBJ_DATA);
470 			goto done;
471 		}
472 		*p = '\0';
473 		slen = strlen(s);
474 		err = parse_commit_time(&(*commit)->tm_author, s);
475 		if (err)
476 			goto done;
477 		(*commit)->author = strdup(s);
478 		if ((*commit)->author == NULL) {
479 			err = got_error_from_errno();
480 			goto done;
481 		}
482 		s += slen + 1;
483 		remain -= slen + 1;
484 	}
485 
486 	tlen = strlen(GOT_COMMIT_TAG_COMMITTER);
487 	if (strncmp(s, GOT_COMMIT_TAG_COMMITTER, tlen) == 0) {
488 		char *p;
489 		size_t slen;
490 
491 		remain -= tlen;
492 		if (remain <= 0) {
493 			err = got_error(GOT_ERR_BAD_OBJ_DATA);
494 			goto done;
495 		}
496 		s += tlen;
497 		p = strchr(s, '\n');
498 		if (p == NULL) {
499 			err = got_error(GOT_ERR_BAD_OBJ_DATA);
500 			goto done;
501 		}
502 		*p = '\0';
503 		slen = strlen(s);
504 		err = parse_commit_time(&(*commit)->tm_committer, s);
505 		if (err)
506 			goto done;
507 		(*commit)->committer = strdup(s);
508 		if ((*commit)->committer == NULL) {
509 			err = got_error_from_errno();
510 			goto done;
511 		}
512 		s += slen + 1;
513 		remain -= slen + 1;
514 	}
515 
516 	(*commit)->logmsg = strndup(s, remain);
517 	if ((*commit)->logmsg == NULL) {
518 		err = got_error_from_errno();
519 		goto done;
520 	}
521 done:
522 	if (err) {
523 		got_object_commit_close(*commit);
524 		*commit = NULL;
525 	}
526 	return err;
527 }
528 
529 void
530 got_object_tree_entry_close(struct got_tree_entry *te)
531 {
532 	free(te->id);
533 	free(te->name);
534 	free(te);
535 }
536 
537 void
538 got_object_tree_close(struct got_tree_object *tree)
539 {
540 	struct got_tree_entry *te;
541 
542 	if (tree->refcnt > 0) {
543 		tree->refcnt--;
544 		if (tree->refcnt > 0)
545 			return;
546 	}
547 
548 	while (!SIMPLEQ_EMPTY(&tree->entries.head)) {
549 		te = SIMPLEQ_FIRST(&tree->entries.head);
550 		SIMPLEQ_REMOVE_HEAD(&tree->entries.head, entry);
551 		got_object_tree_entry_close(te);
552 	}
553 
554 	free(tree);
555 }
556 
557 struct got_tree_entry *
558 got_alloc_tree_entry_partial(void)
559 {
560 	struct got_tree_entry *te;
561 
562 	te = calloc(1, sizeof(*te));
563 	if (te == NULL)
564 		return NULL;
565 
566 	te->id = calloc(1, sizeof(*te->id));
567 	if (te->id == NULL) {
568 		free(te);
569 		te = NULL;
570 	}
571 	return te;
572 }
573 
574 static const struct got_error *
575 parse_tree_entry(struct got_tree_entry **te, size_t *elen, char *buf,
576     size_t maxlen)
577 {
578 	char *p = buf, *space;
579 	const struct got_error *err = NULL;
580 
581 	*te = got_alloc_tree_entry_partial();
582 	if (*te == NULL)
583 		return got_error_from_errno();
584 
585 	*elen = strlen(buf) + 1;
586 	if (*elen > maxlen) {
587 		free(*te);
588 		*te = NULL;
589 		return got_error(GOT_ERR_BAD_OBJ_DATA);
590 	}
591 
592 	space = strchr(buf, ' ');
593 	if (space == NULL) {
594 		err = got_error(GOT_ERR_BAD_OBJ_DATA);
595 		free(*te);
596 		*te = NULL;
597 		return err;
598 	}
599 	while (*p != ' ') {
600 		if (*p < '0' && *p > '7') {
601 			err = got_error(GOT_ERR_BAD_OBJ_DATA);
602 			goto done;
603 		}
604 		(*te)->mode <<= 3;
605 		(*te)->mode |= *p - '0';
606 		p++;
607 	}
608 
609 	(*te)->name = strdup(space + 1);
610 	if (*elen > maxlen || maxlen - *elen < SHA1_DIGEST_LENGTH) {
611 		err = got_error(GOT_ERR_BAD_OBJ_DATA);
612 		goto done;
613 	}
614 	buf += strlen(buf) + 1;
615 	memcpy((*te)->id->sha1, buf, SHA1_DIGEST_LENGTH);
616 	*elen += SHA1_DIGEST_LENGTH;
617 done:
618 	if (err) {
619 		got_object_tree_entry_close(*te);
620 		*te = NULL;
621 	}
622 	return err;
623 }
624 
625 const struct got_error *
626 got_object_parse_tree(struct got_tree_object **tree, uint8_t *buf, size_t len)
627 {
628 	const struct got_error *err;
629 	size_t remain = len;
630 
631 	*tree = calloc(1, sizeof(**tree));
632 	if (*tree == NULL)
633 		return got_error_from_errno();
634 
635 	SIMPLEQ_INIT(&(*tree)->entries.head);
636 
637 	while (remain > 0) {
638 		struct got_tree_entry *te;
639 		size_t elen;
640 
641 		err = parse_tree_entry(&te, &elen, buf, remain);
642 		if (err)
643 			return err;
644 		(*tree)->entries.nentries++;
645 		SIMPLEQ_INSERT_TAIL(&(*tree)->entries.head, te, entry);
646 		buf += elen;
647 		remain -= elen;
648 	}
649 
650 	if (remain != 0) {
651 		got_object_tree_close(*tree);
652 		return got_error(GOT_ERR_BAD_OBJ_DATA);
653 	}
654 
655 	return NULL;
656 }
657 
658 const struct got_error *
659 got_read_file_to_mem(uint8_t **outbuf, size_t *outlen, FILE *f)
660 {
661 	const struct got_error *err = NULL;
662 	static const size_t blocksize = 512;
663 	size_t n, total, remain;
664 	uint8_t *buf;
665 
666 	*outbuf = NULL;
667 	*outlen = 0;
668 
669 	buf = malloc(blocksize);
670 	if (buf == NULL)
671 		return got_error_from_errno();
672 
673 	remain = blocksize;
674 	total = 0;
675 	while (1) {
676 		if (remain == 0) {
677 			uint8_t *newbuf;
678 			newbuf = reallocarray(buf, 1, total + blocksize);
679 			if (newbuf == NULL) {
680 				err = got_error_from_errno();
681 				goto done;
682 			}
683 			buf = newbuf;
684 			remain += blocksize;
685 		}
686 		n = fread(buf + total, 1, remain, f);
687 		if (n == 0) {
688 			if (ferror(f)) {
689 				err = got_ferror(f, GOT_ERR_IO);
690 				goto done;
691 			}
692 			break; /* EOF */
693 		}
694 		remain -= n;
695 		total += n;
696 	};
697 
698 done:
699 	if (err == NULL) {
700 		*outbuf = buf;
701 		*outlen = total;
702 	} else
703 		free(buf);
704 	return err;
705 }
706 
707 static const struct got_error *
708 request_commit(struct got_commit_object **commit, struct got_repository *repo,
709     struct got_object *obj, int fd)
710 {
711 	const struct got_error *err = NULL;
712 	struct imsgbuf *ibuf;
713 
714 	ibuf = repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_COMMIT].ibuf;
715 
716 	err = got_privsep_send_obj_req(ibuf, fd, obj);
717 	if (err)
718 		return err;
719 
720 	return got_privsep_recv_commit(commit, ibuf);
721 }
722 
723 const struct got_error *
724 got_object_read_packed_commit_privsep(struct got_commit_object **commit,
725     struct got_object *obj, struct got_pack *pack)
726 {
727 	const struct got_error *err = NULL;
728 
729 	err = got_privsep_send_obj_req(pack->privsep_child->ibuf, -1, obj);
730 	if (err)
731 		return err;
732 
733 	return got_privsep_recv_commit(commit, pack->privsep_child->ibuf);
734 }
735 
736 const struct got_error *
737 got_object_read_commit_privsep(struct got_commit_object **commit,
738     struct got_object *obj, int obj_fd, struct got_repository *repo)
739 {
740 	int imsg_fds[2];
741 	pid_t pid;
742 	struct imsgbuf *ibuf;
743 
744 	if (repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_COMMIT].imsg_fd != -1)
745 		return request_commit(commit, repo, obj, obj_fd);
746 
747 	ibuf = calloc(1, sizeof(*ibuf));
748 	if (ibuf == NULL)
749 		return got_error_from_errno();
750 
751 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, imsg_fds) == -1)
752 		return got_error_from_errno();
753 
754 	pid = fork();
755 	if (pid == -1)
756 		return got_error_from_errno();
757 	else if (pid == 0) {
758 		exec_privsep_child(imsg_fds, GOT_PATH_PROG_READ_COMMIT,
759 		    repo->path);
760 		/* not reached */
761 	}
762 
763 	close(imsg_fds[1]);
764 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_COMMIT].imsg_fd =
765 	    imsg_fds[0];
766 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_COMMIT].pid = pid;
767 	imsg_init(ibuf, imsg_fds[0]);
768 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_COMMIT].ibuf = ibuf;
769 
770 	return request_commit(commit, repo, obj, obj_fd);
771 }
772 
773 static const struct got_error *
774 request_tree(struct got_tree_object **tree, struct got_repository *repo,
775     struct got_object *obj, int fd)
776 {
777 	const struct got_error *err = NULL;
778 	struct imsgbuf *ibuf;
779 
780 	ibuf = repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_TREE].ibuf;
781 
782 	err = got_privsep_send_obj_req(ibuf, fd, obj);
783 	if (err)
784 		return err;
785 
786 	return got_privsep_recv_tree(tree, ibuf);
787 }
788 
789 const struct got_error *
790 got_object_read_tree_privsep(struct got_tree_object **tree,
791     struct got_object *obj, int obj_fd, struct got_repository *repo)
792 {
793 	int imsg_fds[2];
794 	pid_t pid;
795 	struct imsgbuf *ibuf;
796 
797 	if (repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_TREE].imsg_fd != -1)
798 		return request_tree(tree, repo, obj, obj_fd);
799 
800 	ibuf = calloc(1, sizeof(*ibuf));
801 	if (ibuf == NULL)
802 		return got_error_from_errno();
803 
804 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, imsg_fds) == -1)
805 		return got_error_from_errno();
806 
807 	pid = fork();
808 	if (pid == -1)
809 		return got_error_from_errno();
810 	else if (pid == 0) {
811 		exec_privsep_child(imsg_fds, GOT_PATH_PROG_READ_TREE,
812 		    repo->path);
813 		/* not reached */
814 	}
815 
816 	close(imsg_fds[1]);
817 
818 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_TREE].imsg_fd =
819 	    imsg_fds[0];
820 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_TREE].pid = pid;
821 	imsg_init(ibuf, imsg_fds[0]);
822 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_TREE].ibuf = ibuf;
823 
824 
825 	return request_tree(tree, repo, obj, obj_fd);
826 }
827 
828 const struct got_error *
829 got_object_read_packed_tree_privsep(struct got_tree_object **tree,
830     struct got_object *obj, struct got_pack *pack)
831 {
832 	const struct got_error *err = NULL;
833 
834 	err = got_privsep_send_obj_req(pack->privsep_child->ibuf, -1, obj);
835 	if (err)
836 		return err;
837 
838 	return got_privsep_recv_tree(tree, pack->privsep_child->ibuf);
839 }
840 
841 const struct got_error *
842 got_object_read_packed_blob_privsep(size_t *size, int outfd,
843     struct got_object *obj, struct got_pack *pack)
844 {
845 	const struct got_error *err = NULL;
846 	int outfd_child;
847 
848 	outfd_child = dup(outfd);
849 	if (outfd_child == -1)
850 		return got_error_from_errno();
851 
852 	err = got_privsep_send_obj_req(pack->privsep_child->ibuf, -1, obj);
853 	if (err)
854 		return err;
855 
856 	err = got_privsep_send_blob_outfd(pack->privsep_child->ibuf,
857 	    outfd_child);
858 	if (err) {
859 		close(outfd_child);
860 		return err;
861 	}
862 
863 	err = got_privsep_recv_blob(size, pack->privsep_child->ibuf);
864 	if (err)
865 		return err;
866 
867 	if (lseek(outfd, SEEK_SET, 0) == -1)
868 		err = got_error_from_errno();
869 
870 	return err;
871 }
872 
873 static const struct got_error *
874 request_blob(size_t *size, int outfd, int infd, struct imsgbuf *ibuf)
875 {
876 	const struct got_error *err = NULL;
877 	int outfd_child;
878 
879 	outfd_child = dup(outfd);
880 	if (outfd_child == -1)
881 		return got_error_from_errno();
882 
883 	err = got_privsep_send_blob_req(ibuf, infd);
884 	if (err)
885 		return err;
886 
887 	err = got_privsep_send_blob_outfd(ibuf, outfd_child);
888 	if (err) {
889 		close(outfd_child);
890 		return err;
891 	}
892 
893 	err = got_privsep_recv_blob(size, ibuf);
894 	if (err)
895 		return err;
896 
897 	if (lseek(outfd, SEEK_SET, 0) == -1)
898 		return got_error_from_errno();
899 
900 	return err;
901 }
902 
903 const struct got_error *
904 got_object_read_blob_privsep(size_t *size, int outfd, int infd,
905     struct got_repository *repo)
906 {
907 	int imsg_fds[2];
908 	pid_t pid;
909 	struct imsgbuf *ibuf;
910 
911 	if (repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_BLOB].imsg_fd != -1) {
912 		ibuf = repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_BLOB].ibuf;
913 		return request_blob(size, outfd, infd, ibuf);
914 	}
915 
916 	ibuf = calloc(1, sizeof(*ibuf));
917 	if (ibuf == NULL)
918 		return got_error_from_errno();
919 
920 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, imsg_fds) == -1)
921 		return got_error_from_errno();
922 
923 	pid = fork();
924 	if (pid == -1)
925 		return got_error_from_errno();
926 	else if (pid == 0) {
927 		exec_privsep_child(imsg_fds, GOT_PATH_PROG_READ_BLOB,
928 		    repo->path);
929 		/* not reached */
930 	}
931 
932 	close(imsg_fds[1]);
933 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_BLOB].imsg_fd =
934 	    imsg_fds[0];
935 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_BLOB].pid = pid;
936 	imsg_init(ibuf, imsg_fds[0]);
937 	repo->privsep_children[GOT_REPO_PRIVSEP_CHILD_BLOB].ibuf = ibuf;
938 
939 	return request_blob(size, outfd, infd, ibuf);
940 }