Game of Trees Repos

Blob

Date:: Wed Mar 8 09:27:14 2023 UTC
Message:: portable: configure: split out dependencies Rather than assume all dependencies are required for all programs, split them out. This will make packaging easier, as well as splitting the code to use subprojects. Note that due to the use of config.h semantics, in most cases the got_compat.h header file is now at the top of the .c file it is included in, so that it can handle the system header inclusion properly.
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2022 Josh Rickmar <jrick@zettaport.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "got_compat.h"
18 
19 #include <sys/time.h>
20 #include <sys/types.h>
21 #include <sys/stat.h>
22 #include <sys/socket.h>
23 #include <sys/queue.h>
24 #include <sys/wait.h>
25 
26 #include <stdlib.h>
27 #include <stdio.h>
28 #include <fcntl.h>
29 #include <unistd.h>
30 #include <string.h>
31 #include <err.h>
32 #include <assert.h>
33 
34 #include "got_error.h"
35 #include "got_date.h"
36 #include "got_object.h"
37 #include "got_opentemp.h"
38 
39 #include "got_sigs.h"
40 #include "buf.h"
41 
42 #ifndef MIN
43 #define	MIN(_a,_b) ((_a) < (_b) ? (_a) : (_b))
44 #endif
45 
46 #ifndef nitems
47 #define nitems(_a)	(sizeof((_a)) / sizeof((_a)[0]))
48 #endif
49 
50 #ifndef GOT_TAG_PATH_SSH_KEYGEN
51 #define GOT_TAG_PATH_SSH_KEYGEN	"/usr/bin/ssh-keygen"
52 #endif
53 
54 #ifndef GOT_TAG_PATH_SIGNIFY
55 #define GOT_TAG_PATH_SIGNIFY "/usr/bin/signify"
56 #endif
57 
58 const struct got_error *
59 got_sigs_apply_unveil(void)
60 {
61 	if (unveil(GOT_TAG_PATH_SSH_KEYGEN, "x") != 0) {
62 		return got_error_from_errno2("unveil",
63 		    GOT_TAG_PATH_SSH_KEYGEN);
64 	}
65 	if (unveil(GOT_TAG_PATH_SIGNIFY, "x") != 0) {
66 		return got_error_from_errno2("unveil",
67 		    GOT_TAG_PATH_SIGNIFY);
68 	}
69 
70 	return NULL;
71 }
72 
73 const struct got_error *
74 got_sigs_sign_tag_ssh(pid_t *newpid, int *in_fd, int *out_fd,
75     const char* key_file, int verbosity)
76 {
77 	const struct got_error *error = NULL;
78 	int pid, in_pfd[2], out_pfd[2];
79 	const char* argv[11];
80 	int i = 0, j;
81 
82 	*newpid = -1;
83 	*in_fd = -1;
84 	*out_fd = -1;
85 
86 	argv[i++] = GOT_TAG_PATH_SSH_KEYGEN;
87 	argv[i++] = "-Y";
88 	argv[i++] = "sign";
89 	argv[i++] = "-f";
90 	argv[i++] = key_file;
91 	argv[i++] = "-n";
92 	argv[i++] = "git";
93 	if (verbosity <= 0) {
94 		argv[i++] = "-q";
95 	} else {
96 		/* ssh(1) allows up to 3 "-v" options. */
97 		for (j = 0; j < MIN(3, verbosity); j++)
98 			argv[i++] = "-v";
99 	}
100 	argv[i++] = NULL;
101 	assert(i <= nitems(argv));
102 
103 	if (pipe(in_pfd) == -1)
104 		return got_error_from_errno("pipe");
105 	if (pipe(out_pfd) == -1)
106 		return got_error_from_errno("pipe");
107 
108 	pid = fork();
109 	if (pid == -1) {
110 		error = got_error_from_errno("fork");
111 		close(in_pfd[0]);
112 		close(in_pfd[1]);
113 		close(out_pfd[0]);
114 		close(out_pfd[1]);
115 		return error;
116 	} else if (pid == 0) {
117 		if (close(in_pfd[1]) == -1)
118 			err(1, "close");
119 		if (close(out_pfd[0]) == -1)
120 			err(1, "close");
121 		if (dup2(in_pfd[0], 0) == -1)
122 			err(1, "dup2");
123 		if (dup2(out_pfd[1], 1) == -1)
124 			err(1, "dup2");
125 		if (execv(GOT_TAG_PATH_SSH_KEYGEN, (char **const)argv) == -1)
126 			err(1, "execv");
127 		abort(); /* not reached */
128 	}
129 	if (close(in_pfd[0]) == -1)
130 		return got_error_from_errno("close");
131 	if (close(out_pfd[1]) == -1)
132 		return got_error_from_errno("close");
133 	*newpid = pid;
134 	*in_fd = in_pfd[1];
135 	*out_fd = out_pfd[0];
136 	return NULL;
137 }
138 
139 static char *
140 signer_identity(const char *tagger)
141 {
142 	char *lt, *gt;
143 
144 	lt = strstr(tagger, " <");
145 	gt = strrchr(tagger, '>');
146 	if (lt && gt && lt+1 < gt)
147 		return strndup(lt+2, gt-lt-2);
148 	return NULL;
149 }
150 
151 static const char* BEGIN_SSH_SIG = "-----BEGIN SSH SIGNATURE-----\n";
152 static const char* END_SSH_SIG = "-----END SSH SIGNATURE-----\n";
153 
154 const char *
155 got_sigs_get_tagmsg_ssh_signature(const char *tagmsg)
156 {
157 	const char *s = tagmsg, *begin = NULL, *end = NULL;
158 
159 	while ((s = strstr(s, BEGIN_SSH_SIG)) != NULL) {
160 		begin = s;
161 		s += strlen(BEGIN_SSH_SIG);
162 	}
163 	if (begin)
164 		end = strstr(begin+strlen(BEGIN_SSH_SIG), END_SSH_SIG);
165 	if (end == NULL)
166 		return NULL;
167 	return (end[strlen(END_SSH_SIG)] == '\0') ? begin : NULL;
168 }
169 
170 static const struct got_error *
171 got_tag_write_signed_data(BUF *buf, struct got_tag_object *tag,
172     const char *start_sig)
173 {
174 	const struct got_error *err = NULL;
175 	struct got_object_id *id;
176 	char *id_str = NULL;
177 	char *tagger = NULL;
178 	const char *tagmsg;
179 	char gmtoff[6];
180 	size_t len;
181 
182 	id = got_object_tag_get_object_id(tag);
183 	err = got_object_id_str(&id_str, id);
184 	if (err)
185 		goto done;
186 
187 	const char *type_label = NULL;
188 	switch (got_object_tag_get_object_type(tag)) {
189 	case GOT_OBJ_TYPE_BLOB:
190 		type_label = GOT_OBJ_LABEL_BLOB;
191 		break;
192 	case GOT_OBJ_TYPE_TREE:
193 		type_label = GOT_OBJ_LABEL_TREE;
194 		break;
195 	case GOT_OBJ_TYPE_COMMIT:
196 		type_label = GOT_OBJ_LABEL_COMMIT;
197 		break;
198 	case GOT_OBJ_TYPE_TAG:
199 		type_label = GOT_OBJ_LABEL_TAG;
200 		break;
201 	default:
202 		break;
203 	}
204 	got_date_format_gmtoff(gmtoff, sizeof(gmtoff),
205 	    got_object_tag_get_tagger_gmtoff(tag));
206 	if (asprintf(&tagger, "%s %lld %s", got_object_tag_get_tagger(tag),
207 	    (long long)got_object_tag_get_tagger_time(tag), gmtoff) == -1) {
208 		err = got_error_from_errno("asprintf");
209 		goto done;
210 	}
211 
212 	err = buf_puts(&len, buf, GOT_TAG_LABEL_OBJECT);
213 	if (err)
214 		goto done;
215 	err = buf_puts(&len, buf, id_str);
216 	if (err)
217 		goto done;
218 	err = buf_putc(buf, '\n');
219 	if (err)
220 		goto done;
221 	err = buf_puts(&len, buf, GOT_TAG_LABEL_TYPE);
222 	if (err)
223 		goto done;
224 	err = buf_puts(&len, buf, type_label);
225 	if (err)
226 		goto done;
227 	err = buf_putc(buf, '\n');
228 	if (err)
229 		goto done;
230 	err = buf_puts(&len, buf, GOT_TAG_LABEL_TAG);
231 	if (err)
232 		goto done;
233 	err = buf_puts(&len, buf, got_object_tag_get_name(tag));
234 	if (err)
235 		goto done;
236 	err = buf_putc(buf, '\n');
237 	if (err)
238 		goto done;
239 	err = buf_puts(&len, buf, GOT_TAG_LABEL_TAGGER);
240 	if (err)
241 		goto done;
242 	err = buf_puts(&len, buf, tagger);
243 	if (err)
244 		goto done;
245 	err = buf_puts(&len, buf, "\n");
246 	if (err)
247 		goto done;
248 	tagmsg = got_object_tag_get_message(tag);
249 	err = buf_append(&len, buf, tagmsg, start_sig-tagmsg);
250 	if (err)
251 		goto done;
252 
253 done:
254 	free(id_str);
255 	free(tagger);
256 	return err;
257 }
258 
259 const struct got_error *
260 got_sigs_verify_tag_ssh(char **msg, struct got_tag_object *tag,
261     const char *start_sig, const char* allowed_signers, const char* revoked,
262     int verbosity)
263 {
264 	const struct got_error *error = NULL;
265 	const char* argv[17];
266 	int pid, status, in_pfd[2], out_pfd[2];
267 	char* parsed_identity = NULL;
268 	const char *identity;
269 	char *tmppath = NULL;
270 	FILE *tmpsig = NULL;
271 	BUF *buf;
272 	int i = 0, j;
273 
274 	*msg = NULL;
275 
276 	error = got_opentemp_named(&tmppath, &tmpsig,
277 	    GOT_TMPDIR_STR "/got-tagsig", "");
278 	if (error)
279 		goto done;
280 
281 	identity = got_object_tag_get_tagger(tag);
282 	parsed_identity = signer_identity(identity);
283 	if (parsed_identity != NULL)
284 		identity = parsed_identity;
285 
286 	if (fputs(start_sig, tmpsig) == EOF) {
287 		error = got_error_from_errno("fputs");
288 		goto done;
289 	}
290 	if (fflush(tmpsig) == EOF) {
291 		error = got_error_from_errno("fflush");
292 		goto done;
293 	}
294 
295 	error = buf_alloc(&buf, 0);
296 	if (error)
297 		goto done;
298 	error = got_tag_write_signed_data(buf, tag, start_sig);
299 	if (error)
300 		goto done;
301 
302 	argv[i++] = GOT_TAG_PATH_SSH_KEYGEN;
303 	argv[i++] = "-Y";
304 	argv[i++] = "verify";
305 	argv[i++] = "-f";
306 	argv[i++] = allowed_signers;
307 	argv[i++] = "-I";
308 	argv[i++] = identity;
309 	argv[i++] = "-n";
310 	argv[i++] = "git";
311 	argv[i++] = "-s";
312 	argv[i++] = tmppath;
313 	if (revoked) {
314 		argv[i++] = "-r";
315 		argv[i++] = revoked;
316 	}
317 	if (verbosity > 0) {
318 		/* ssh(1) allows up to 3 "-v" options. */
319 		for (j = 0; j < MIN(3, verbosity); j++)
320 			argv[i++] = "-v";
321 	}
322 	argv[i++] = NULL;
323 	assert(i <= nitems(argv));
324 
325 	if (pipe(in_pfd) == -1) {
326 		error = got_error_from_errno("pipe");
327 		goto done;
328 	}
329 	if (pipe(out_pfd) == -1) {
330 		error = got_error_from_errno("pipe");
331 		goto done;
332 	}
333 
334 	pid = fork();
335 	if (pid == -1) {
336 		error = got_error_from_errno("fork");
337 		close(in_pfd[0]);
338 		close(in_pfd[1]);
339 		close(out_pfd[0]);
340 		close(out_pfd[1]);
341 		return error;
342 	} else if (pid == 0) {
343 		if (close(in_pfd[1]) == -1)
344 			err(1, "close");
345 		if (close(out_pfd[0]) == -1)
346 			err(1, "close");
347 		if (dup2(in_pfd[0], 0) == -1)
348 			err(1, "dup2");
349 		if (dup2(out_pfd[1], 1) == -1)
350 			err(1, "dup2");
351 		if (execv(GOT_TAG_PATH_SSH_KEYGEN, (char **const)argv) == -1)
352 			err(1, "execv");
353 		abort(); /* not reached */
354 	}
355 	if (close(in_pfd[0]) == -1) {
356 		error = got_error_from_errno("close");
357 		goto done;
358 	}
359 	if (close(out_pfd[1]) == -1) {
360 		error = got_error_from_errno("close");
361 		goto done;
362 	}
363 	if (buf_write_fd(buf, in_pfd[1]) == -1) {
364 		error = got_error_from_errno("write");
365 		goto done;
366 	}
367 	if (close(in_pfd[1]) == -1) {
368 		error = got_error_from_errno("close");
369 		goto done;
370 	}
371 	if (waitpid(pid, &status, 0) == -1) {
372 		error = got_error_from_errno("waitpid");
373 		goto done;
374 	}
375 	if (!WIFEXITED(status)) {
376 		error = got_error(GOT_ERR_BAD_TAG_SIGNATURE);
377 		goto done;
378 	}
379 
380 	error = buf_load_fd(&buf, out_pfd[0]);
381 	if (error)
382 		goto done;
383 	error = buf_putc(buf, '\0');
384 	if (error)
385 		goto done;
386 	if (close(out_pfd[0]) == -1) {
387 		error = got_error_from_errno("close");
388 		goto done;
389 	}
390 	*msg = buf_get(buf);
391 	if (WEXITSTATUS(status) != 0)
392 		error = got_error(GOT_ERR_BAD_TAG_SIGNATURE);
393 
394 done:
395 	free(parsed_identity);
396 	if (tmppath && unlink(tmppath) == -1 && error == NULL)
397 		error = got_error_from_errno("unlink");
398 	free(tmppath);
399 	close(out_pfd[0]);
400 	if (tmpsig && fclose(tmpsig) == EOF && error == NULL)
401 		error = got_error_from_errno("fclose");
402 	return error;
403 }