+ if (status == 0)
+ return ("Valid");
+ else if (status & GNUTLS_CERT_INVALID)
+ return ("Invalid");
+ else if (status & GNUTLS_CERT_REVOKED)
+ return ("Revoked");
+ else if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ return ("Signer not found");
+ else if (status & GNUTLS_CERT_SIGNER_NOT_CA)
+ return ("Signer not a CA");
+ else if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
+ return ("Insecure algorithm");
+#if GNUTLS_VERSION_NUMBER >= 0x020708
+ else if (status & GNUTLS_CERT_NOT_ACTIVATED)
+ return ("Not activated");
+ else if (status & GNUTLS_CERT_EXPIRED)
+ return ("Expired");
+#endif
+ else
+ return (NULL);
+} /* }}} const char *nc_verify_status_to_string */
+
+static void *nc_proxy_thread (void *args) /* {{{ */
+{
+ nc_proxy_t *data = args;
+ struct pollfd fds[2];
+ int gtls_fd;
+ long pagesize;
+
+ gtls_fd = (int) gnutls_transport_get_ptr (data->tls_session);
+ DEBUG ("netcmd plugin: nc_proxy_thread: pipe_rx = %i; pipe_tx = %i; gtls_fd = %i;",
+ data->pipe_rx, data->pipe_tx, gtls_fd);
+
+ memset (fds, 0, sizeof (fds));
+ fds[0].fd = data->pipe_rx;
+ fds[0].events = POLLIN | POLLPRI;
+ fds[1].fd = gtls_fd;
+ fds[1].events = POLLIN | POLLPRI;
+
+ pagesize = sysconf (_SC_PAGESIZE);
+
+ while (42)
+ {
+ char errbuf[1024];
+ char buffer[pagesize];
+ int status;
+
+ status = poll (fds, STATIC_ARRAY_SIZE(fds), /* timeout = */ -1);
+ if (status < 0)
+ {
+ if ((errno == EINTR) || (errno == EAGAIN))
+ continue;
+ ERROR ("netcmd plugin: poll(2) failed: %s",
+ sstrerror (errno, errbuf, sizeof (errbuf)));
+ break;
+ }
+
+ /* pipe -> TLS */
+ if (fds[0].revents != 0) /* {{{ */
+ {
+ ssize_t iostatus;
+ size_t buffer_size;
+ char *buffer_ptr;
+
+ DEBUG ("netcmd plugin: nc_proxy_thread: Something's up on the pipe.");
+
+ /* Check for hangup, error, ... */
+ if ((fds[0].revents & (POLLIN | POLLPRI)) == 0)
+ break;
+
+ iostatus = read (fds[0].fd, buffer, sizeof (buffer));
+ DEBUG ("netcmd plugin: nc_proxy_thread: Received %zi bytes from pipe.",
+ iostatus);
+ if (iostatus < 0)
+ {
+ if ((errno == EINTR) || (errno == EAGAIN))
+ continue;
+ ERROR ("netcmd plugin: read(2) failed: %s",
+ sstrerror (errno, errbuf, sizeof (errbuf)));
+ break;
+ }
+ else if (iostatus == 0)
+ {
+ break;
+ }
+
+ buffer_ptr = buffer;
+ buffer_size = (size_t) iostatus;
+ while (buffer_size > 0)
+ {
+ iostatus = gnutls_record_send (data->tls_session,
+ buffer, buffer_size);
+ DEBUG ("netcmd plugin: nc_proxy_thread: Wrote %zi bytes to GNU-TLS.",
+ iostatus);
+ if (iostatus < 0)
+ {
+ ERROR ("netcmd plugin: gnutls_record_send failed: %s",
+ gnutls_strerror ((int) iostatus));
+ break;
+ }
+
+ assert (iostatus <= buffer_size);
+ buffer_ptr += iostatus;
+ buffer_size -= iostatus;
+ } /* while (buffer_size > 0) */
+
+ if (buffer_size != 0)
+ break;
+
+ fds[0].revents = 0;
+ } /* }}} if (fds[0].revents != 0) */
+
+ /* TLS -> pipe */
+ if (fds[1].revents != 0) /* {{{ */
+ {
+ ssize_t iostatus;
+ size_t buffer_size;
+
+ DEBUG ("netcmd plugin: nc_proxy_thread: Something's up on the TLS socket.");
+
+ /* Check for hangup, error, ... */
+ if ((fds[1].revents & (POLLIN | POLLPRI)) == 0)
+ break;
+
+ iostatus = gnutls_record_recv (data->tls_session, buffer, sizeof (buffer));
+ DEBUG ("netcmd plugin: nc_proxy_thread: Received %zi bytes from GNU-TLS.",
+ iostatus);
+ if (iostatus < 0)
+ {
+ if ((iostatus == GNUTLS_E_INTERRUPTED)
+ || (iostatus == GNUTLS_E_AGAIN))
+ continue;
+ ERROR ("netcmd plugin: gnutls_record_recv failed: %s",
+ gnutls_strerror ((int) iostatus));
+ break;
+ }
+ else if (iostatus == 0)
+ {
+ break;
+ }
+
+ buffer_size = (size_t) iostatus;
+ iostatus = swrite (data->pipe_tx, buffer, buffer_size);
+ DEBUG ("netcmd plugin: nc_proxy_thread: Wrote %zi bytes to pipe.",
+ iostatus);
+
+ fds[1].revents = 0;
+ } /* }}} if (fds[1].revents != 0) */
+ } /* while (42) */
+
+ DEBUG ("netcmd plugin: nc_proxy_thread: Shutting down.");
+ return (NULL);
+} /* }}} void *nc_proxy_thread */
+
+/* Creates two pipes and a separate thread to pass data between two FILE* and
+ * the GNUTLS back and forth. This is required because the handle_<cmd>
+ * functions expect to be able to write to a FILE*. */
+static int nc_start_tls_file_handles (nc_connection_t *conn) /* {{{ */
+{
+#define BAIL_OUT(status) do { \
+ DEBUG ("netcmd plugin: nc_start_tls_file_handles: Bailing out with status %i.", (status)); \
+ if (proxy_config->pipe_rx >= 0) { close (proxy_config->pipe_rx); } \
+ if (proxy_config->pipe_tx >= 0) { close (proxy_config->pipe_tx); } \
+ if (conn->fh_in != NULL) { fclose (conn->fh_in); conn->fh_in = NULL; } \
+ if (conn->fh_out != NULL) { fclose (conn->fh_out); conn->fh_out = NULL; } \
+ free (proxy_config); \
+ return (status); \
+} while (0)
+
+ nc_proxy_t *proxy_config;
+ int pipe_fd[2];
+ int status;
+
+ pthread_attr_t attr;
+ pthread_t thread;
+
+ if ((conn->fh_in != NULL) || (conn->fh_out != NULL))
+ {
+ ERROR ("netcmd plugin: nc_start_tls_file_handles: Connection already connected.");
+ return (EEXIST);
+ }
+
+ proxy_config = malloc (sizeof (*proxy_config));
+ if (proxy_config == NULL)
+ {
+ ERROR ("netcmd plugin: malloc failed.");
+ return (ENOMEM);
+ }
+ memset (proxy_config, 0, sizeof (*proxy_config));
+ proxy_config->pipe_rx = -1;
+ proxy_config->pipe_tx = -1;
+ proxy_config->tls_session = conn->tls_session;
+
+ pipe_fd[0] = pipe_fd[1] = -1;
+ status = pipe (pipe_fd);
+ if (status != 0)
+ {
+ char errmsg[1024];
+ ERROR ("netcmd plugin: pipe(2) failed: %s",
+ sstrerror (errno, errmsg, sizeof (errmsg)));
+ BAIL_OUT (-1);
+ }
+ proxy_config->pipe_rx = pipe_fd[0];
+ conn->fh_out = fdopen (pipe_fd[1], "w");
+ if (conn->fh_out == NULL)
+ {
+ char errmsg[1024];
+ ERROR ("netcmd plugin: fdopen(2) failed: %s",
+ sstrerror (errno, errmsg, sizeof (errmsg)));
+ close (pipe_fd[1]);
+ BAIL_OUT (-1);
+ }
+
+ pipe_fd[0] = pipe_fd[1] = -1;
+ status = pipe (pipe_fd);
+ if (status != 0)
+ {
+ char errmsg[1024];
+ ERROR ("netcmd plugin: pipe(2) failed: %s",
+ sstrerror (errno, errmsg, sizeof (errmsg)));
+ BAIL_OUT (-1);
+ }
+ proxy_config->pipe_tx = pipe_fd[1];
+ conn->fh_in = fdopen (pipe_fd[0], "r");
+ if (conn->fh_in == NULL)
+ {
+ char errmsg[1024];
+ ERROR ("netcmd plugin: fdopen(2) failed: %s",
+ sstrerror (errno, errmsg, sizeof (errmsg)));
+ close (pipe_fd[0]);
+ BAIL_OUT (-1);
+ }
+
+ pthread_attr_init (&attr);
+ pthread_attr_setdetachstate (&attr, PTHREAD_CREATE_DETACHED);
+
+ status = pthread_create (&thread, &attr, nc_proxy_thread, proxy_config);
+ pthread_attr_destroy (&attr);
+ if (status != 0)
+ {
+ char errmsg[1024];
+ ERROR ("netcmd plugin: pthread_create(2) failed: %s",
+ sstrerror (errno, errmsg, sizeof (errmsg)));
+ BAIL_OUT (-1);
+ }
+
+ DEBUG ("netcmd plugin: nc_start_tls_file_handles: Successfully started proxy thread.");
+ return (0);
+} /* }}} int nc_start_tls_file_handles */
+
+static nc_peer_t *nc_fd_to_peer (int fd) /* {{{ */
+{
+ size_t i;
+
+ for (i = 0; i < peers_num; i++)
+ {
+ size_t j;
+
+ for (j = 0; j < peers[i].fds_num; j++)
+ if (peers[i].fds[j] == fd)
+ return (peers + i);
+ }
+
+ return (NULL);
+} /* }}} nc_peer_t *nc_fd_to_peer */
+
+static void nc_free_peer (nc_peer_t *p) /* {{{ */
+{
+ size_t i;
+ if (p == NULL)
+ return;
+
+ sfree (p->node);
+ sfree (p->service);
+
+ for (i = 0; i < p->fds_num; i++)
+ {
+ if (p->fds[i] >= 0)
+ close (p->fds[i]);
+ p->fds[i] = -1;
+ }
+ p->fds_num = 0;
+ sfree (p->fds);
+
+ sfree (p->tls_cert_file);
+ sfree (p->tls_key_file);
+ sfree (p->tls_ca_file);
+ sfree (p->tls_crl_file);
+
+ gnutls_certificate_free_credentials (p->tls_credentials);
+ gnutls_dh_params_deinit (p->tls_dh_params);
+ gnutls_priority_deinit (p->tls_priority);
+} /* }}} void nc_free_peer */
+
+static int nc_register_fd (nc_peer_t *peer, int fd) /* {{{ */
+{
+ struct pollfd *poll_ptr;
+ int *fd_ptr;
+
+ poll_ptr = realloc (pollfd, (pollfd_num + 1) * sizeof (*pollfd));
+ if (poll_ptr == NULL)
+ {
+ ERROR ("netcmd plugin: realloc failed.");
+ return (-1);
+ }
+ pollfd = poll_ptr;
+
+ memset (&pollfd[pollfd_num], 0, sizeof (pollfd[pollfd_num]));
+ pollfd[pollfd_num].fd = fd;
+ pollfd[pollfd_num].events = POLLIN | POLLPRI;
+ pollfd[pollfd_num].revents = 0;
+ pollfd_num++;
+
+ if (peer == NULL)
+ return (0);
+
+ fd_ptr = realloc (peer->fds, (peer->fds_num + 1) * sizeof (*peer->fds));
+ if (fd_ptr == NULL)
+ {
+ ERROR ("netcmd plugin: realloc failed.");
+ return (-1);
+ }
+ peer->fds = fd_ptr;
+ peer->fds[peer->fds_num] = fd;
+ peer->fds_num++;
+
+ return (0);