=== added file 'network-protocol.txt'
--- network-protocol.txt	1970-01-01 00:00:00 +0000
+++ network-protocol.txt	2008-08-04 23:38:26 +0000
@@ -0,0 +1,14 @@
+Network Protocol Version 1
+
+The server announces itself as an IPv6 Zeroconf service of type
+"_mandos._tcp".  A connecting client sends a line of text where the
+first whitespace-separated field is the protocol version, which
+currently is "1".  The client and server then start a TLS handshake,
+with the unusual property that the server program acts as a TLS
+"client" and the connecting client acts as a TLS "server".  In this
+TLS handshake the client must supply an OpenPGP certificate, and the
+fingerprint of this certificate is used by the server to look up (in a
+list read from file at start time) which binary blob to give the
+client.  No other authentication or authorization is done by the
+server.  After the binary blob is sent by the server to the client,
+the server closes the connection.

=== modified file 'plugins.d/mandosclient.c'
--- plugins.d/mandosclient.c	2008-08-04 16:23:20 +0000
+++ plugins.d/mandosclient.c	2008-08-04 22:46:32 +0000
@@ -319,6 +319,7 @@
       != GNUTLS_E_SUCCESS) {
     fprintf (stderr, "GnuTLS memory error: %s\n",
 	     safer_gnutls_strerror(ret));
+    gnutls_global_deinit ();
     return -1;
   }
   
@@ -336,7 +337,7 @@
 	    " '%s')\n", ret, pubkeyfile, seckeyfile);
     fprintf(stdout, "The GnuTLS error is: %s\n",
 	    safer_gnutls_strerror(ret));
-    return -1;
+    goto globalfail;
   }
   
   /* GnuTLS server initialization */
@@ -344,18 +345,25 @@
   if (ret != GNUTLS_E_SUCCESS) {
     fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
 	     " %s\n", safer_gnutls_strerror(ret));
-    return -1;
+    goto globalfail;
   }
   ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
   if (ret != GNUTLS_E_SUCCESS) {
     fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
 	     safer_gnutls_strerror(ret));
-    return -1;
+    goto globalfail;
   }
   
   gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
 
   return 0;
+
+ globalfail:
+
+  gnutls_certificate_free_credentials (mc->cred);
+  gnutls_global_deinit ();
+  return -1;
+
 }
 
 static int init_gnutls_session(mandos_context *mc,
@@ -375,6 +383,7 @@
       fprintf(stderr, "Syntax error at: %s\n", err);
       fprintf(stderr, "GnuTLS error: %s\n",
 	      safer_gnutls_strerror(ret));
+      gnutls_deinit (*session);
       return -1;
     }
   }
@@ -384,6 +393,7 @@
   if (ret != GNUTLS_E_SUCCESS) {
     fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
 	    safer_gnutls_strerror(ret));
+    gnutls_deinit (*session);
     return -1;
   }
   
@@ -603,8 +613,6 @@
   free(buffer);
   close(tcp_sd);
   gnutls_deinit (session);
-  gnutls_certificate_free_credentials (mc->cred);
-  gnutls_global_deinit ();
   return retval;
 }
 
@@ -741,6 +749,7 @@
     const char *seckeyfile = "seckey.txt";
     mandos_context mc = { .simple_poll = NULL, .server = NULL,
 			  .dh_bits = 1024, .priority = "SECURE256"};
+    bool gnutls_initalized = false;
     
     {
       struct argp_option options[] = {
@@ -846,6 +855,8 @@
     if (ret == -1){
       fprintf(stderr, "init_gnutls_global\n");
       goto end;
+    } else {
+      gnutls_initalized = true;
     }
 
     uid = getuid();
@@ -1000,6 +1011,11 @@
         avahi_simple_poll_free(mc.simple_poll);
     free(pubkeyfile);
     free(seckeyfile);
+
+    if (gnutls_initalized){
+      gnutls_certificate_free_credentials (mc.cred);
+      gnutls_global_deinit ();
+    }
     
     return exitcode;
 }

=== modified file 'server.py'
--- server.py	2008-08-04 21:25:55 +0000
+++ server.py	2008-08-04 23:38:26 +0000
@@ -6,9 +6,9 @@
 # This program is partly derived from an example program for an Avahi
 # service publisher, downloaded from
 # <http://avahi.org/wiki/PythonPublishExample>.  This includes the
-# following functions: "AvahiService.add", "AvahiService.remove",
-# "server_state_changed", "entry_group_state_changed", and some lines
-# in "main".
+# methods "add" and "remove" in the "AvahiService" class, the
+# "server_state_changed" and "entry_group_state_changed" functions,
+# and some lines in "main".
 # 
 # Everything else is
 # Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
@@ -61,17 +61,6 @@
 from dbus.mainloop.glib import DBusGMainLoop
 import ctypes
 
-# Brief description of the operation of this program:
-# 
-# This server announces itself as a Zeroconf service.  Connecting
-# clients use the TLS protocol, with the unusual quirk that this
-# server program acts as a TLS "client" while a connecting client acts
-# as a TLS "server".  The client (acting as a TLS "server") must
-# supply an OpenPGP certificate, and the fingerprint of this
-# certificate is used by this server to look up (in a list read from a
-# file at start time) which binary blob to give the client.  No other
-# authentication or authorization is done by this server.
-
 
 logger = logging.Logger('mandos')
 syslogger = logging.handlers.SysLogHandler\
@@ -635,6 +624,8 @@
     os.setsid()
     if not nochdir:
         os.chdir("/")
+    if os.fork():
+        sys.exit()
     if not noclose:
         # Close all standard open file descriptors
         null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)