#include <h/mh.h>
#include <h/utils.h>
#include <h/netsec.h>
+#include <h/oauth.h>
#include <stdarg.h>
#include <sys/select.h>
*/
struct _netsec_context {
- int ns_fd; /* Descriptor for network connection */
+ int ns_readfd; /* Read descriptor for network connection */
+ int ns_writefd; /* Write descriptor for network connection */
int ns_snoop; /* If true, display network data */
+ int ns_snoop_noend; /* If true, didn't get a CR/LF on last line */
+ netsec_snoop_callback *ns_snoop_cb; /* Snoop output callback */
+ void *ns_snoop_context; /* Context data for snoop function */
int ns_timeout; /* Network read timeout, in seconds */
char *ns_userid; /* Userid for authentication */
unsigned char *ns_inbuffer; /* Our read input buffer */
unsigned char *ns_outptr; /* Output buffer pointer */
unsigned int ns_outbuflen; /* Output buffer data length */
unsigned int ns_outbufsize; /* Output buffer size */
+ char *sasl_mech; /* User-requested mechanism */
+#ifdef OAUTH_SUPPORT
+ char *oauth_service; /* OAuth2 service name */
+#endif /* OAUTH_SUPPORT */
#ifdef CYRUS_SASL
char *sasl_hostname; /* Hostname we've connected to */
- char *sasl_mech; /* User-requested mechanism */
sasl_conn_t *sasl_conn; /* SASL connection context */
sasl_ssf_t sasl_ssf; /* SASL Security Strength Factor */
netsec_sasl_callback sasl_proto_cb; /* SASL callback we use */
#endif /* TLS_SUPPORT */
};
-/*
- * Function to allocate error message strings
- */
-
-static void netsec_err(char **errstr, const char *format, ...);
-
/*
* Function to read data from the actual network socket
*/
{
netsec_context *nsc = mh_xmalloc(sizeof(*nsc));
- nsc->ns_fd = -1;
+ nsc->ns_readfd = -1;
+ nsc->ns_writefd = -1;
nsc->ns_snoop = 0;
+ nsc->ns_snoop_noend = 0;
+ nsc->ns_snoop_cb = NULL;
+ nsc->ns_snoop_context = NULL;
nsc->ns_userid = NULL;
nsc->ns_timeout = 60; /* Our default */
nsc->ns_inbufsize = NETSEC_BUFSIZE;
nsc->ns_outbuffer = mh_xmalloc(nsc->ns_outbufsize);
nsc->ns_outptr = nsc->ns_outbuffer;
nsc->ns_outbuflen = 0;
+ nsc->sasl_mech = NULL;
+#ifdef OAUTH_SUPPORT
+ nsc->oauth_service = NULL;
+#endif /* OAUTH_SUPPORT */
#ifdef CYRUS_SASL
nsc->sasl_conn = NULL;
nsc->sasl_hostname = NULL;
- nsc->sasl_mech = NULL;
nsc->sasl_cbs = NULL;
nsc->sasl_creds = NULL;
nsc->sasl_secret = NULL;
/*
* Shutdown the connection completely and free all resources.
- * The connection is not closed, however.
+ * The connection is only closed if the flag is given.
*/
void
-netsec_shutdown(netsec_context *nsc)
+netsec_shutdown(netsec_context *nsc, int closeflag)
{
if (nsc->ns_userid)
free(nsc->ns_userid);
free(nsc->ns_inbuffer);
if (nsc->ns_outbuffer)
free(nsc->ns_outbuffer);
+ if (nsc->sasl_mech)
+ free(nsc->sasl_mech);
+#ifdef OAUTH_SERVICE
+ if (nsc->oauth_service)
+ free(nsc->oauth_service);
+#endif /* OAUTH_SERVICE */
#ifdef CYRUS_SASL
if (nsc->sasl_conn)
sasl_dispose(&nsc->sasl_conn);
if (nsc->sasl_hostname)
free(nsc->sasl_hostname);
- if (nsc->sasl_mech)
- free(nsc->sasl_mech);
if (nsc->sasl_cbs)
free(nsc->sasl_cbs);
if (nsc->sasl_creds) {
BIO_free_all(nsc->ssl_io);
#endif /* TLS_SUPPORT */
+ if (closeflag) {
+ if (nsc->ns_readfd != -1)
+ close(nsc->ns_readfd);
+ if (nsc->ns_writefd != -1 && nsc->ns_writefd != nsc->ns_readfd)
+ close(nsc->ns_writefd);
+ }
+
free(nsc);
}
*/
void
-netsec_set_fd(netsec_context *nsc, int fd)
+netsec_set_fd(netsec_context *nsc, int readfd, int writefd)
{
- nsc->ns_fd = fd;
+ nsc->ns_readfd = readfd;
+ nsc->ns_writefd = writefd;
}
/*
nsc->ns_snoop = snoop;
}
+/*
+ * Set the snoop callback for this connection.
+ */
+
+void netsec_set_snoop_callback(netsec_context *nsc,
+ netsec_snoop_callback callback, void *context)
+{
+ nsc->ns_snoop_cb = callback;
+ nsc->ns_snoop_context = context;
+}
+
+/*
+ * A base64-decoding snoop callback
+ */
+
+void
+netsec_b64_snoop_decoder(netsec_context *nsc, const char *string, size_t len,
+ void *context)
+{
+ const char *decoded;
+ size_t decodedlen;
+ NMH_UNUSED(nsc);
+ int offset;
+
+ offset = context ? *((int *) context) : 0;
+
+ if (offset > 0) {
+ /*
+ * Output non-base64 data first.
+ */
+ fprintf(stderr, "%.*s", offset, string);
+ string += offset;
+ len -= offset;
+ }
+
+ if (decodeBase64(string, &decoded, &decodedlen, 1, NULL) == OK) {
+ char *hexified;
+ hexify((const unsigned char *) decoded, decodedlen, &hexified);
+ fprintf(stderr, "b64<%s>\n", hexified);
+ free(hexified);
+ free((char *) decoded);
+ } else {
+ fprintf(stderr, "%.*s\n", (int) len, string);
+ }
+}
+
/*
* Set the read timeout for this connection
*/
*/
char *
-netsec_readline(netsec_context *nsc, char **errstr)
+netsec_readline(netsec_context *nsc, size_t *len, char **errstr)
{
unsigned char *ptr = nsc->ns_inptr;
size_t count = 0, offset;
while (count < nsc->ns_inbuflen) {
count++;
if (*ptr++ == '\n') {
- char *sptr = nsc->ns_inptr;
+ char *sptr = (char *) nsc->ns_inptr;
if (count > 1 && *(ptr - 2) == '\r')
ptr--;
*--ptr = '\0';
+ if (len)
+ *len = ptr - nsc->ns_inptr;
nsc->ns_inptr += count;
nsc->ns_inbuflen -= count;
+ if (nsc->ns_snoop) {
+#ifdef CYRUS_SASL
+ if (nsc->sasl_seclayer)
+ fprintf(stderr, "(sasl-decrypted) ");
+#endif /* CYRUS_SASL */
+#ifdef TLS_SUPPORT
+ if (nsc->tls_active)
+ fprintf(stderr, "(tls-decrypted) ");
+#endif /* TLS_SUPPORT */
+ fprintf(stderr, "<= ");
+ if (nsc->ns_snoop_cb)
+ nsc->ns_snoop_cb(nsc, sptr, strlen(sptr),
+ nsc->ns_snoop_context);
+ else
+ fprintf(stderr, "%s\n", sptr);
+ }
return sptr;
}
}
offset = ptr - nsc->ns_inptr;
if (netsec_fillread(nsc, errstr) != OK)
- return NOTOK;
+ return NULL;
ptr = nsc->ns_inptr + offset;
fd_set rfds;
FD_ZERO(&rfds);
- FD_SET(nsc->ns_fd, &rfds);
+ FD_SET(nsc->ns_readfd, &rfds);
tv.tv_sec = nsc->ns_timeout;
tv.tv_usec = 0;
- rc = select(nsc->ns_fd + 1, &rfds, NULL, NULL, &tv);
+ rc = select(nsc->ns_readfd + 1, &rfds, NULL, NULL, &tv);
if (rc == -1) {
netsec_err(errstr, "select() while reading failed: %s",
* select() above) so this read SHOULDN'T block. Hopefully.
*/
- rc = read(nsc->ns_fd, readbuf, readbufsize);
+ rc = read(nsc->ns_readfd, readbuf, readbufsize);
if (rc == 0) {
netsec_err(errstr, "Received EOF on network read");
const unsigned char *bufptr = buffer;
int rc, remaining;
- /*
- * If TLS is active, then bypass all of our buffering logic; just
- * write it directly to our BIO. We have a buffering BIO first in
- * our stack, so buffering will take place there.
- */
-#ifdef TLS_SUPPORT
- if (nsc->tls_active) {
- rc = BIO_write(nsc->ssl_io, buffer, size);
-
- if (rc <= 0) {
- netsec_err(errstr, "Error writing to TLS connection: %s",
- ERR_error_string(ERR_get_error(), NULL));
- return NOTOK;
- }
+ /* Just in case */
+ if (size == 0)
return OK;
- }
-#endif /* TLS_SUPPORT */
/*
* Run a loop copying in data to our local buffer; when we're done with
}
/*
- * Write bytes to the network using printf()-style formatting.
- *
- * Again, for the most part copy stuff into our buffer to be flushed
- * out later.
+ * Our network printf() routine, which really just calls netsec_vprintf().
*/
int
va_list ap;
int rc;
- /*
- * Again, if we're using TLS, then bypass our local buffering
- */
-#ifdef TLS_SUPPORT
- if (nsc->tls_active) {
- va_start(ap, format);
- rc = BIO_vprintf(nsc->ssl_io, format, ap);
- va_end(ap);
+ va_start(ap, format);
+ rc = netsec_vprintf(nsc, errstr, format, ap);
+ va_end(ap);
- if (rc <= 0) {
- netsec_err(errstr, "Error writing to TLS connection: %s",
- ERR_error_string(ERR_get_error(), NULL));
- return NOTOK;
- }
+ return rc;
+}
- return OK;
- }
-#endif /* TLS_SUPPORT */
+/*
+ * Write bytes to the network using printf()-style formatting.
+ *
+ * Again, for the most part copy stuff into our buffer to be flushed
+ * out later.
+ */
+
+int
+netsec_vprintf(netsec_context *nsc, char **errstr, const char *format,
+ va_list ap)
+{
+ int rc;
/*
* Cheat a little. If we can fit the data into our outgoing buffer,
*/
retry:
- va_start(ap, format);
rc = vsnprintf((char *) nsc->ns_outptr,
nsc->ns_outbufsize - nsc->ns_outbuflen, format, ap);
- va_end(ap);
if (rc >= (int) (nsc->ns_outbufsize - nsc->ns_outbuflen)) {
/*
}
}
+ if (nsc->ns_snoop) {
+ int outlen = rc;
+ if (outlen > 0 && nsc->ns_outptr[outlen - 1] == '\n') {
+ outlen--;
+ if (outlen > 0 && nsc->ns_outptr[outlen - 1] == '\r')
+ outlen--;
+ } else {
+ nsc->ns_snoop_noend = 1;
+ }
+ if (outlen > 0 || nsc->ns_snoop_noend == 0) {
+#ifdef CYRUS_SASL
+ if (nsc->sasl_seclayer)
+ fprintf(stderr, "(sasl-encrypted) ");
+#endif /* CYRUS_SASL */
+#ifdef TLS_SUPPORT
+ if (nsc->tls_active)
+ fprintf(stderr, "(tls-encrypted) ");
+#endif /* TLS_SUPPORT */
+ fprintf(stderr, "=> ");
+ if (nsc->ns_snoop_cb)
+ nsc->ns_snoop_cb(nsc, (char *) nsc->ns_outptr, outlen,
+ nsc->ns_snoop_context);
+ else
+ fprintf(stderr, "%.*s\n", outlen, nsc->ns_outptr);
+ } else {
+ nsc->ns_snoop_noend = 0;
+ }
+ }
+
nsc->ns_outptr += rc;
nsc->ns_outbuflen += rc;
int rc;
/*
- * For TLS connections, just call BIO_flush(); we'll let TLS handle
- * all of our output buffering.
+ * Small optimization
*/
-#ifdef TLS_SUPPORT
- if (nsc->tls_active) {
- rc = BIO_flush(nsc->ssl_io);
-
- if (rc <= 0) {
- netsec_err(errstr, "Error flushing TLS connection: %s",
- ERR_error_string(ERR_get_error(), NULL));
- return NOTOK;
- }
+ if (netoutlen == 0)
return OK;
- }
-#endif /* TLS_SUPPORT */
/*
* If SASL security layers are in effect, run the data through
- * sasl_encode() first and then write it.
+ * sasl_encode() first.
*/
#ifdef CYRUS_SASL
if (nsc->sasl_seclayer) {
}
#endif /* CYRUS_SASL */
- rc = write(nsc->ns_fd, netoutbuf, netoutlen);
- if (rc < 0) {
- netsec_err(errstr, "write() failed: %s", strerror(errno));
- return NOTOK;
+ /*
+ * If TLS is active, then use those functions to write out the
+ * data.
+ */
+#ifdef TLS_SUPPORT
+ if (nsc->tls_active) {
+ if (BIO_write(nsc->ssl_io, netoutbuf, netoutlen) <= 0) {
+ netsec_err(errstr, "Error writing to TLS connection: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ return NOTOK;
+ }
+ } else
+#endif /* TLS_SUPPORT */
+ {
+ rc = write(nsc->ns_writefd, netoutbuf, netoutlen);
+
+ if (rc < 0) {
+ netsec_err(errstr, "write() failed: %s", strerror(errno));
+ return NOTOK;
+ }
}
nsc->ns_outptr = nsc->ns_outbuffer;
return NOTOK;
}
- nsc->sasl_mech = mechanism ? getcpy(mechanism) : NULL;
+ /*
+ * According to the RFC, mechanisms can only be uppercase letter, numbers,
+ * and a hypen or underscore. So make sure we uppercase any letters
+ * in case the user passed in lowercase.
+ */
+
+ if (mechanism) {
+ char *p;
+ nsc->sasl_mech = getcpy(mechanism);
+
+ for (p = nsc->sasl_mech; *p; p++)
+ if (isascii((unsigned char) *p)) /* Just in case */
+ *p = toupper((unsigned char) *p);
+ }
+
nsc->sasl_proto_cb = callback;
nsc->sasl_hostname = getcpy(hostname);
unsigned char *outbuf;
unsigned int saslbuflen, outbuflen;
sasl_ssf_t *ssf;
- int rc, *outbufmax;
+ int *outbufmax;
+#endif
+#ifdef OAUTH_SUPPORT
+ unsigned char *xoauth_client_res;
+ size_t xoauth_client_res_len;
+#endif /* OAUTH_SUPPORT */
+ int rc;
+
+ /*
+ * If we've been passed a requested mechanism, check our mechanism
+ * list from the protocol. If it's not supported, return an error.
+ */
+
+ if (nsc->sasl_mech) {
+ char **str, *mlist = getcpy(mechlist);
+ int i;
+
+ str = brkstring(mlist, " ", NULL);
+
+ for (i = 0; str[i] != NULL; i++) {
+ if (strcasecmp(nsc->sasl_mech, str[i]) == 0) {
+ break;
+ }
+ }
+
+ i = (str[i] == NULL);
+
+ free(mlist);
+
+ if (i) {
+ netsec_err(errstr, "Chosen mechanism %s not supported by server",
+ nsc->sasl_mech);
+ return NOTOK;
+ }
+ }
+
+#ifdef OAUTH_SUPPORT
+ if (nsc->sasl_mech && strcasecmp(nsc->sasl_mech, "XOAUTH2") == 0) {
+ /*
+ * This should be relatively straightforward, but requires some
+ * help from the plugin. Basically, if XOAUTH2 is a success,
+ * the callback has to return success, but no output data. If
+ * there is output data, it will be assumed that it is the JSON
+ * error message.
+ */
+
+ if (! nsc->oauth_service) {
+ netsec_err(errstr, "Internal error: OAuth2 service name not given");
+ return NOTOK;
+ }
+
+ nsc->sasl_chosen_mech = getcpy(nsc->sasl_mech);
+
+ if (mh_oauth_do_xoauth(nsc->ns_userid, nsc->oauth_service,
+ &xoauth_client_res, &xoauth_client_res_len,
+ nsc->ns_snoop ? stderr : NULL) != OK) {
+ netsec_err(errstr, "Internal error: Unable to get OAuth2 "
+ "bearer token");
+ return NOTOK;
+ }
+
+ rc = nsc->sasl_proto_cb(NETSEC_SASL_START, xoauth_client_res,
+ xoauth_client_res_len, NULL, 0, errstr);
+ free(xoauth_client_res);
+
+ if (rc != OK)
+ return NOTOK;
+
+ /*
+ * Okay, we need to do a NETSEC_SASL_FINISH now. If we return
+ * success, we indicate that with no output data. But if we
+ * fail, then send a blank message and get the resulting
+ * error.
+ */
+
+ rc = nsc->sasl_proto_cb(NETSEC_SASL_FINISH, NULL, 0, NULL, 0, errstr);
+
+ if (rc != OK) {
+ /*
+ * We're going to assume the error here is a JSON response;
+ * we ignore it and send a blank message in response. We should
+ * then get either an +OK or -ERR
+ */
+ free(*errstr);
+ nsc->sasl_proto_cb(NETSEC_SASL_WRITE, NULL, 0, NULL, 0, NULL);
+ rc = nsc->sasl_proto_cb(NETSEC_SASL_FINISH, NULL, 0, NULL, 0,
+ errstr);
+ if (rc == 0) {
+ netsec_err(errstr, "Unexpected success after OAuth failure!");
+ }
+ return NOTOK;
+ }
+ return OK;
+ }
+#endif /* OAUTH_SUPPORT */
+#ifdef CYRUS_SASL
/*
* In netsec_set_sasl_params, we've already done all of our setup with
* sasl_client_init() and sasl_client_new(). So time to set security
* sasl_client_step() loop (after sasl_client_start, of course).
*/
- rc = sasl_client_start(nsc->sasl_conn, mechlist, NULL,
+ rc = sasl_client_start(nsc->sasl_conn,
+ nsc->sasl_mech ? nsc->sasl_mech : mechlist, NULL,
(const char **) &saslbuf, &saslbuflen,
&chosen_mech);
nsc->sasl_chosen_mech = getcpy(chosen_mech);
- if (nsc->sasl_proto_cb(NETSEC_SASL_START, saslbuf, saslbuflen, &outbuf,
- &outbuflen, errstr) != OK)
- return NOTOK;
-
- if (netsec_write(nsc, outbuf, outbuflen, errstr) != OK) {
- free(outbuf);
- return NOTOK;
- }
-
- free(outbuf);
-
- if (netsec_flush(nsc, errstr) != OK)
+ if (nsc->sasl_proto_cb(NETSEC_SASL_START, saslbuf, saslbuflen, NULL, 0,
+ errstr) != OK)
return NOTOK;
/*
if (nsc->sasl_proto_cb(NETSEC_SASL_READ, NULL, 0, &outbuf, &outbuflen,
errstr) != OK) {
- if (nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, &outbuf,
- &outbuflen, NULL) == OK) {
- netsec_write(nsc, outbuf, outbuflen, NULL);
- netsec_flush(nsc, NULL);
- free(outbuf);
- }
+ nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, NULL, 0, NULL);
return NOTOK;
}
rc = sasl_client_step(nsc->sasl_conn, (char *) outbuf, outbuflen, NULL,
(const char **) &saslbuf, &saslbuflen);
- free(outbuf);
+ if (outbuf)
+ free(outbuf);
if (rc != SASL_OK && rc != SASL_CONTINUE) {
netsec_err(errstr, "SASL client negotiation failed: %s",
sasl_errdetail(nsc->sasl_conn));
- if (nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, &outbuf,
- &outbuflen, NULL) == OK) {
- netsec_write(nsc, outbuf, outbuflen, NULL);
- netsec_flush(nsc, NULL);
- free(outbuf);
- }
+ nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, NULL, 0, NULL);
return NOTOK;
}
if (nsc->sasl_proto_cb(NETSEC_SASL_WRITE, saslbuf, saslbuflen,
- &outbuf, &outbuflen, errstr) != OK) {
- if (nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, &outbuf,
- &outbuflen, NULL) == OK) {
- netsec_write(nsc, outbuf, outbuflen, NULL);
- netsec_flush(nsc, NULL);
- free(outbuf);
- }
+ NULL, 0, errstr) != OK) {
+ nsc->sasl_proto_cb(NETSEC_SASL_CANCEL, NULL, 0, NULL, 0, NULL);
return NOTOK;
}
-
- if (netsec_write(nsc, outbuf, outbuflen, errstr) != OK) {
- free(outbuf);
- return NOTOK;
- }
-
- free(outbuf);
-
- if (netsec_flush(nsc, errstr) != OK)
- return NOTOK;
}
/*
#endif /* CYRUS_SASL */
}
+/*
+ * Set an OAuth2 service name, if we support it.
+ */
+
+int
+netsec_set_oauth_service(netsec_context *nsc, const char *service)
+{
+#ifdef OAUTH_SUPPORT
+ nsc->oauth_service = getcpy(service);
+ return OK;
+#else /* OAUTH_SUPPORT */
+ return NOTOK;
+#endif /* OAUTH_SUPPORT */
+}
+
/*
* Initialize (and enable) TLS for this connection
*/
if (tls) {
#ifdef TLS_SUPPORT
SSL *ssl;
- BIO *sbio, *ssl_bio;;
+ BIO *rbio, *wbio, *ssl_bio;;
if (! tls_initialized) {
SSL_library_init();
tls_initialized++;
}
- if (nsc->ns_fd == -1) {
+ if (nsc->ns_readfd == -1 || nsc->ns_writefd == -1) {
netsec_err(errstr, "Invalid file descriptor in netsec context");
return NOTOK;
}
* So writes and reads are buffered (we mostly care about writes).
*/
- sbio = BIO_new_socket(nsc->ns_fd, BIO_NOCLOSE);
+ rbio = BIO_new_socket(nsc->ns_readfd, BIO_NOCLOSE);
- if (! sbio) {
- netsec_err(errstr, "Unable to create a socket BIO: %s",
+ if (! rbio) {
+ netsec_err(errstr, "Unable to create a read socket BIO: %s",
ERR_error_string(ERR_get_error(), NULL));
SSL_free(ssl);
return NOTOK;
}
- SSL_set_bio(ssl, sbio, sbio);
- SSL_set_connect_state(ssl);
-
- nsc->ssl_io = BIO_new(BIO_f_buffer());
+ wbio = BIO_new_socket(nsc->ns_writefd, BIO_NOCLOSE);
- if (! nsc->ssl_io) {
- netsec_err(errstr, "Unable to create a buffer BIO: %s",
+ if (! wbio) {
+ netsec_err(errstr, "Unable to create a write socket BIO: %s",
ERR_error_string(ERR_get_error(), NULL));
SSL_free(ssl);
+ BIO_free(rbio);
return NOTOK;
}
+ SSL_set_bio(ssl, rbio, wbio);
+ SSL_set_connect_state(ssl);
+
ssl_bio = BIO_new(BIO_f_ssl());
if (! ssl_bio) {
}
BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE);
- BIO_push(nsc->ssl_io, ssl_bio);
+ nsc->ssl_io = ssl_bio;
return OK;
} else {
fprintf(stderr, "WARNING: cannot determine SSL ciphers\n");
} else {
const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);
- fprintf(stderr, "TLS negotation successful: %s(%d) %s\n",
+ fprintf(stderr, "TLS negotiation successful: %s(%d) %s\n",
SSL_CIPHER_get_name(cipher),
SSL_CIPHER_get_bits(cipher, NULL),
SSL_CIPHER_get_version(cipher));
nsc->tls_active = 1;
- /*
- * At this point, TLS has been activated; we're not going to use
- * the output buffer, so free it now to save a little bit of memory.
- */
-
- if (nsc->ns_outbuffer) {
- free(nsc->ns_outbuffer);
- nsc->ns_outbuffer = NULL;
- }
-
return OK;
#else /* TLS_SUPPORT */
netsec_err(errstr, "TLS not supported");
* Generate an (allocated) error string
*/
-static void
+void
netsec_err(char **errstr, const char *fmt, ...)
{
va_list ap;
projects / nmh / blobdiff