libgocryptfs/internal/ctlsocksrv/ctlsock_serve.go

// Package ctlsocksrv implements the control socket interface that can be
// activated by passing "-ctlsock" on the command line.
package ctlsocksrv

import (
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"net"
	"os"
	"syscall"

	"github.com/rfjakob/gocryptfs/v2/ctlsock"
	"github.com/rfjakob/gocryptfs/v2/internal/tlog"
)

// Interface should be implemented by fusefrontend[_reverse]
type Interface interface {
	EncryptPath(string) (string, error)
	DecryptPath(string) (string, error)
}

type ctlSockHandler struct {
	fs     Interface
	socket *net.UnixListener
}

// Serve serves incoming connections on "sock". This call blocks so you
// probably want to run it in a new goroutine.
func Serve(sock net.Listener, fs Interface) {
	handler := ctlSockHandler{
		fs:     fs,
		socket: sock.(*net.UnixListener),
	}
	handler.acceptLoop()
}

func (ch *ctlSockHandler) acceptLoop() {
	for {
		conn, err := ch.socket.Accept()
		if err != nil {
			// This can trigger on program exit with "use of closed network connection".
			// Special-casing this is hard due to https://github.com/golang/go/issues/4373
			// so just don't use tlog.Warn to not cause panics in the tests.
			tlog.Info.Printf("ctlsock: Accept error: %v", err)
			break
		}
		go ch.handleConnection(conn.(*net.UnixConn))
	}
}

// ReadBufSize is the size of the request read buffer.
// The longest possible path is 4096 bytes on Linux and 1024 on Mac OS X so
// 5000 bytes should be enough to hold the whole JSON request. This
// assumes that the path does not contain too many characters that had to be
// be escaped in JSON (for example, a null byte blows up to "\u0000").
// We abort the connection if the request is bigger than this.
const ReadBufSize = 5000

// handleConnection reads and parses JSON requests from "conn"
func (ch *ctlSockHandler) handleConnection(conn *net.UnixConn) {
	buf := make([]byte, ReadBufSize)
	for {
		n, err := conn.Read(buf)
		if err == io.EOF {
			conn.Close()
			return
		} else if err != nil {
			tlog.Warn.Printf("ctlsock: Read error: %#v", err)
			conn.Close()
			return
		}
		if n == ReadBufSize {
			tlog.Warn.Printf("ctlsock: request too big (max = %d bytes)", ReadBufSize-1)
			conn.Close()
			return
		}
		data := buf[:n]
		var in ctlsock.RequestStruct
		err = json.Unmarshal(data, &in)
		if err != nil {
			tlog.Warn.Printf("ctlsock: JSON Unmarshal error: %#v", err)
			err = errors.New("JSON Unmarshal error: " + err.Error())
			sendResponse(conn, err, "", "")
			continue
		}
		ch.handleRequest(&in, conn)
	}
}

// handleRequest handles an already-unmarshaled JSON request
func (ch *ctlSockHandler) handleRequest(in *ctlsock.RequestStruct, conn *net.UnixConn) {
	var err error
	var inPath, outPath, clean, warnText string
	// You cannot perform both decryption and encryption in one request
	if in.DecryptPath != "" && in.EncryptPath != "" {
		err = errors.New("Ambiguous")
		sendResponse(conn, err, "", "")
		return
	}
	// Neither encryption nor encryption has been requested, makes no sense
	if in.DecryptPath == "" && in.EncryptPath == "" {
		err = errors.New("Empty input")
		sendResponse(conn, err, "", "")
		return
	}
	// Canonicalize input path
	if in.EncryptPath != "" {
		inPath = in.EncryptPath
	} else {
		inPath = in.DecryptPath
	}
	clean = SanitizePath(inPath)
	// Warn if a non-canonical path was passed
	if inPath != clean {
		warnText = fmt.Sprintf("Non-canonical input path '%s' has been interpreted as '%s'.", inPath, clean)
	}
	// Error out if the canonical path is now empty
	if clean == "" {
		err = errors.New("Empty input after canonicalization")
		sendResponse(conn, err, "", warnText)
		return
	}
	// Actual encrypt or decrypt operation
	if in.EncryptPath != "" {
		outPath, err = ch.fs.EncryptPath(clean)
	} else {
		outPath, err = ch.fs.DecryptPath(clean)
	}
	sendResponse(conn, err, outPath, warnText)
}

// sendResponse sends a JSON response message
func sendResponse(conn *net.UnixConn, err error, result string, warnText string) {
	msg := ctlsock.ResponseStruct{
		Result:   result,
		WarnText: warnText,
	}
	if err != nil {
		msg.ErrText = err.Error()
		msg.ErrNo = -1
		// Try to extract the actual error number
		if pe, ok := err.(*os.PathError); ok {
			if se, ok := pe.Err.(syscall.Errno); ok {
				msg.ErrNo = int32(se)
			}
		} else if err == syscall.ENOENT {
			msg.ErrNo = int32(syscall.ENOENT)
		}
	}
	jsonMsg, err := json.Marshal(msg)
	if err != nil {
		tlog.Warn.Printf("ctlsock: Marshal failed: %v", err)
		return
	}
	// For convenience for the user, add a newline at the end.
	jsonMsg = append(jsonMsg, '\n')
	_, err = conn.Write(jsonMsg)
	if err != nil {
		tlog.Warn.Printf("ctlsock: Write failed: %v", err)
	}
}
ctlsock: create exported ctlsock client library The former interal ctlsock server package is renamed to ctlsocksrv. 2020-05-09 17:36:41 +02:00			`// Package ctlsocksrv implements the control socket interface that can be`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`// activated by passing "-ctlsock" on the command line.`
ctlsock: create exported ctlsock client library The former interal ctlsock server package is renamed to ctlsocksrv. 2020-05-09 17:36:41 +02:00			`package ctlsocksrv`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00
			`import (`
			`"encoding/json"`
			`"errors"`
ctlsock: sanitize paths before passing them to the backend You used to be able to crash gocryptfs by passing "/foo" of "foo/" to the ctlsock. Fixes https://github.com/rfjakob/gocryptfs/issues/66 2016-12-10 12:59:54 +01:00			`"fmt"`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`"io"`
			`"net"`
			`"os"`
			`"syscall"`

go mod: declare module version v2 Our git version is v2+ for some time now, but go.mod still declared v1. Hopefully making both match makes https://pkg.go.dev/github.com/rfjakob/gocryptfs/v2 work. All the import paths have been fixed like this: find . -name \*.go \| xargs sed -i s%github.com/rfjakob/gocryptfs/%github.com/rfjakob/gocryptfs/v2/% 2021-08-23 15:05:15 +02:00			`"github.com/rfjakob/gocryptfs/v2/ctlsock"`
			`"github.com/rfjakob/gocryptfs/v2/internal/tlog"`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`)`

			`// Interface should be implemented by fusefrontend[_reverse]`
			`type Interface interface {`
			`EncryptPath(string) (string, error)`
			`DecryptPath(string) (string, error)`
			`}`

			`type ctlSockHandler struct {`
			`fs Interface`
			`socket *net.UnixListener`
			`}`

ctlsock: exit early if socket cannot be created; delete on exit Both are achieved by opening the socket from main and passing it to the ctlsock package instead of passing the path. 2016-12-10 14:54:06 +01:00			`// Serve serves incoming connections on "sock". This call blocks so you`
			`// probably want to run it in a new goroutine.`
			`func Serve(sock net.Listener, fs Interface) {`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`handler := ctlSockHandler{`
			`fs: fs,`
			`socket: sock.(*net.UnixListener),`
			`}`
ctlsock: exit early if socket cannot be created; delete on exit Both are achieved by opening the socket from main and passing it to the ctlsock package instead of passing the path. 2016-12-10 14:54:06 +01:00			`handler.acceptLoop()`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`}`

			`func (ch *ctlSockHandler) acceptLoop() {`
			`for {`
			`conn, err := ch.socket.Accept()`
			`if err != nil {`
ctlsock: don't Warn() on closed socket This Warn() is causing panics in the test suite on MacOS: https://github.com/rfjakob/gocryptfs/issues/213 2018-02-27 09:58:14 +01:00			`// This can trigger on program exit with "use of closed network connection".`
			`// Special-casing this is hard due to https://github.com/golang/go/issues/4373`
			`// so just don't use tlog.Warn to not cause panics in the tests.`
			`tlog.Info.Printf("ctlsock: Accept error: %v", err)`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`break`
			`}`
			`go ch.handleConnection(conn.(*net.UnixConn))`
			`}`
			`}`

golint comment fix internal/ctlsock/ctlsock_serve.go:73:1: comment on exported const ReadBufSize should be of the form "ReadBufSize ..." 2017-01-29 19:01:16 +01:00			`// ReadBufSize is the size of the request read buffer.`
ctlsock: abort the connection if the request is too big Reading partial JSON would cause a mess. Just kill the connection. Also, stop using syscall.PathMax that is not defined on Darwin ( https://github.com/rfjakob/gocryptfs/issues/15#issuecomment-264253024 ) 2016-12-10 20:41:40 +01:00			`// The longest possible path is 4096 bytes on Linux and 1024 on Mac OS X so`
			`// 5000 bytes should be enough to hold the whole JSON request. This`
			`// assumes that the path does not contain too many characters that had to be`
			`// be escaped in JSON (for example, a null byte blows up to "\u0000").`
			`// We abort the connection if the request is bigger than this.`
			`const ReadBufSize = 5000`

ctlsock: handle non-canonical empty paths We have to check if the input path is empty AFTER canonicalizing it, too! 2017-02-05 18:07:14 +01:00			`// handleConnection reads and parses JSON requests from "conn"`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`func (ch ctlSockHandler) handleConnection(conn net.UnixConn) {`
ctlsock: abort the connection if the request is too big Reading partial JSON would cause a mess. Just kill the connection. Also, stop using syscall.PathMax that is not defined on Darwin ( https://github.com/rfjakob/gocryptfs/issues/15#issuecomment-264253024 ) 2016-12-10 20:41:40 +01:00			`buf := make([]byte, ReadBufSize)`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`for {`
			`n, err := conn.Read(buf)`
			`if err == io.EOF {`
			`conn.Close()`
			`return`
			`} else if err != nil {`
			`tlog.Warn.Printf("ctlsock: Read error: %#v", err)`
			`conn.Close()`
			`return`
			`}`
ctlsock: abort the connection if the request is too big Reading partial JSON would cause a mess. Just kill the connection. Also, stop using syscall.PathMax that is not defined on Darwin ( https://github.com/rfjakob/gocryptfs/issues/15#issuecomment-264253024 ) 2016-12-10 20:41:40 +01:00			`if n == ReadBufSize {`
			`tlog.Warn.Printf("ctlsock: request too big (max = %d bytes)", ReadBufSize-1)`
			`conn.Close()`
			`return`
			`}`
ctlsock: fix buffer truncation of JSON unmarshal error In the error case, buf was not restored to the original capacity. Instead of truncating "buf" and restoring (or forgetting to restore) later, introduce the "data" slice. Fixes https://github.com/rfjakob/gocryptfs/issues/356 2019-01-20 12:13:49 +01:00			`data := buf[:n]`
ctlsock: create exported ctlsock client library The former interal ctlsock server package is renamed to ctlsocksrv. 2020-05-09 17:36:41 +02:00			`var in ctlsock.RequestStruct`
ctlsock: fix buffer truncation of JSON unmarshal error In the error case, buf was not restored to the original capacity. Instead of truncating "buf" and restoring (or forgetting to restore) later, introduce the "data" slice. Fixes https://github.com/rfjakob/gocryptfs/issues/356 2019-01-20 12:13:49 +01:00			`err = json.Unmarshal(data, &in)`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`if err != nil {`
ctlsock: abort message processing on JSON error The code was missing a "continue" in that branch. Also improve the error messages a bit. 2017-01-29 18:24:47 +01:00			`tlog.Warn.Printf("ctlsock: JSON Unmarshal error: %#v", err)`
ctlsock: handle non-canonical empty paths We have to check if the input path is empty AFTER canonicalizing it, too! 2017-02-05 18:07:14 +01:00			`err = errors.New("JSON Unmarshal error: " + err.Error())`
			`sendResponse(conn, err, "", "")`
ctlsock: abort message processing on JSON error The code was missing a "continue" in that branch. Also improve the error messages a bit. 2017-01-29 18:24:47 +01:00			`continue`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`}`
			`ch.handleRequest(&in, conn)`
			`}`
			`}`

ctlsock: handle non-canonical empty paths We have to check if the input path is empty AFTER canonicalizing it, too! 2017-02-05 18:07:14 +01:00			`// handleRequest handles an already-unmarshaled JSON request`
ctlsock: create exported ctlsock client library The former interal ctlsock server package is renamed to ctlsocksrv. 2020-05-09 17:36:41 +02:00			`func (ch ctlSockHandler) handleRequest(in ctlsock.RequestStruct, conn *net.UnixConn) {`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`var err error`
ctlsock: handle non-canonical empty paths We have to check if the input path is empty AFTER canonicalizing it, too! 2017-02-05 18:07:14 +01:00			`var inPath, outPath, clean, warnText string`
			`// You cannot perform both decryption and encryption in one request`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`if in.DecryptPath != "" && in.EncryptPath != "" {`
Fix spelling (#205) 2018-02-04 20:38:22 +01:00			`err = errors.New("Ambiguous")`
ctlsock: handle non-canonical empty paths We have to check if the input path is empty AFTER canonicalizing it, too! 2017-02-05 18:07:14 +01:00			`sendResponse(conn, err, "", "")`
			`return`
			`}`
			`// Neither encryption nor encryption has been requested, makes no sense`
			`if in.DecryptPath == "" && in.EncryptPath == "" {`
			`err = errors.New("Empty input")`
			`sendResponse(conn, err, "", "")`
			`return`
			`}`
			`// Canonicalize input path`
			`if in.EncryptPath != "" {`
ctlsock: sanitize paths before passing them to the backend You used to be able to crash gocryptfs by passing "/foo" of "foo/" to the ctlsock. Fixes https://github.com/rfjakob/gocryptfs/issues/66 2016-12-10 12:59:54 +01:00			`inPath = in.EncryptPath`
ctlsock: handle non-canonical empty paths We have to check if the input path is empty AFTER canonicalizing it, too! 2017-02-05 18:07:14 +01:00			`} else {`
			`inPath = in.DecryptPath`
			`}`
			`clean = SanitizePath(inPath)`
			`// Warn if a non-canonical path was passed`
			`if inPath != clean {`
			`warnText = fmt.Sprintf("Non-canonical input path '%s' has been interpreted as '%s'.", inPath, clean)`
			`}`
			`// Error out if the canonical path is now empty`
			`if clean == "" {`
			`err = errors.New("Empty input after canonicalization")`
			`sendResponse(conn, err, "", warnText)`
			`return`
			`}`
			`// Actual encrypt or decrypt operation`
			`if in.EncryptPath != "" {`
			`outPath, err = ch.fs.EncryptPath(clean)`
			`} else {`
			`outPath, err = ch.fs.DecryptPath(clean)`
			`}`
			`sendResponse(conn, err, outPath, warnText)`
			`}`

			`// sendResponse sends a JSON response message`
			`func sendResponse(conn *net.UnixConn, err error, result string, warnText string) {`
ctlsock: create exported ctlsock client library The former interal ctlsock server package is renamed to ctlsocksrv. 2020-05-09 17:36:41 +02:00			`msg := ctlsock.ResponseStruct{`
ctlsock: handle non-canonical empty paths We have to check if the input path is empty AFTER canonicalizing it, too! 2017-02-05 18:07:14 +01:00			`Result: result,`
			`WarnText: warnText,`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`}`
			`if err != nil {`
ctlsock: handle non-canonical empty paths We have to check if the input path is empty AFTER canonicalizing it, too! 2017-02-05 18:07:14 +01:00			`msg.ErrText = err.Error()`
			`msg.ErrNo = -1`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`// Try to extract the actual error number`
			`if pe, ok := err.(*os.PathError); ok {`
			`if se, ok := pe.Err.(syscall.Errno); ok {`
ctlsock: handle non-canonical empty paths We have to check if the input path is empty AFTER canonicalizing it, too! 2017-02-05 18:07:14 +01:00			`msg.ErrNo = int32(se)`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`}`
fsck: clean up log output Make sure we get only 1 warning output per problem. Also, add new corruption types to broken_fs_v1.4. 2018-04-02 18:32:30 +02:00			`} else if err == syscall.ENOENT {`
			`msg.ErrNo = int32(syscall.ENOENT)`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`}`
			`}`
			`jsonMsg, err := json.Marshal(msg)`
			`if err != nil {`
			`tlog.Warn.Printf("ctlsock: Marshal failed: %v", err)`
			`return`
			`}`
ctlsock: sanitize paths before passing them to the backend You used to be able to crash gocryptfs by passing "/foo" of "foo/" to the ctlsock. Fixes https://github.com/rfjakob/gocryptfs/issues/66 2016-12-10 12:59:54 +01:00			`// For convenience for the user, add a newline at the end.`
			`jsonMsg = append(jsonMsg, '\n')`
ctlsock: add initial limited implementation At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths. 2016-11-10 00:27:08 +01:00			`_, err = conn.Write(jsonMsg)`
			`if err != nil {`
			`tlog.Warn.Printf("ctlsock: Write failed: %v", err)`
			`}`
			`}`