summaryrefslogtreecommitdiff
path: root/plugins/MirOTR/libotr/src/auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/MirOTR/libotr/src/auth.c')
-rw-r--r--plugins/MirOTR/libotr/src/auth.c2226
1 files changed, 1193 insertions, 1033 deletions
diff --git a/plugins/MirOTR/libotr/src/auth.c b/plugins/MirOTR/libotr/src/auth.c
index 978c986613..d0c55057e1 100644
--- a/plugins/MirOTR/libotr/src/auth.c
+++ b/plugins/MirOTR/libotr/src/auth.c
@@ -1,6 +1,8 @@
/*
* Off-the-Record Messaging library
- * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits,
+ * Chris Alexander, Willy Lew, Lisa Du,
+ * Nikita Borisov
* <otr@cypherpunks.ca>
*
* This library is free software; you can redistribute it and/or
@@ -14,7 +16,7 @@
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
/* system headers */
@@ -27,33 +29,73 @@
#include "privkey.h"
#include "auth.h"
#include "serial.h"
+#include "proto.h"
+#include "context.h"
+#include "mem.h"
+
+#if OTRL_DEBUGGING
+#include <stdio.h>
+
+/* Dump the contents of an OtrlAuthInfo to the FILE *f. */
+void otrl_auth_dump(FILE *f, const OtrlAuthInfo *auth)
+{
+ int i;
+
+ fprintf(f, " Auth info %p:\n", auth);
+ fprintf(f, " State: %d (%s)\n", auth->authstate,
+ auth->authstate == OTRL_AUTHSTATE_NONE ? "NONE" :
+ auth->authstate == OTRL_AUTHSTATE_AWAITING_DHKEY ? "AWAITING_DHKEY" :
+ auth->authstate == OTRL_AUTHSTATE_AWAITING_REVEALSIG ?
+ "AWAITING_REVEALSIG" :
+ auth->authstate == OTRL_AUTHSTATE_AWAITING_SIG ? "AWAITING_SIG" :
+ auth->authstate == OTRL_AUTHSTATE_V1_SETUP ? "V1_SETUP" :
+ "INVALID");
+ fprintf(f, " Context: %p\n", auth->context);
+ fprintf(f, " Our keyid: %u\n", auth->our_keyid);
+ fprintf(f, " Their keyid: %u\n", auth->their_keyid);
+ fprintf(f, " Their fingerprint: ");
+ for (i=0;i<20;++i) {
+ fprintf(f, "%02x", auth->their_fingerprint[i]);
+ }
+ fprintf(f, "\n Initiated = %d\n", auth->initiated);
+ fprintf(f, "\n Proto version = %d\n", auth->protocol_version);
+ fprintf(f, "\n Lastauthmsg = %s\n",
+ auth->lastauthmsg ? auth->lastauthmsg : "(nil)");
+ fprintf(f, "\n Commit sent time = %ld\n",
+ (long) auth->commit_sent_time);
+}
+
+#endif
/*
* Initialize the fields of an OtrlAuthInfo (already allocated).
*/
-void otrl_auth_new(OtrlAuthInfo *auth)
+void otrl_auth_new(struct context *context)
{
- auth->authstate = OTRL_AUTHSTATE_NONE;
- otrl_dh_keypair_init(&(auth->our_dh));
- auth->our_keyid = 0;
- auth->encgx = NULL;
- auth->encgx_len = 0;
- memset(auth->r, 0, 16);
- memset(auth->hashgx, 0, 32);
- auth->their_pub = NULL;
- auth->their_keyid = 0;
- auth->enc_c = NULL;
- auth->enc_cp = NULL;
- auth->mac_m1 = NULL;
- auth->mac_m1p = NULL;
- auth->mac_m2 = NULL;
- auth->mac_m2p = NULL;
- memset(auth->their_fingerprint, 0, 20);
- auth->initiated = 0;
- auth->protocol_version = 0;
- memset(auth->secure_session_id, 0, 20);
- auth->secure_session_id_len = 0;
- auth->lastauthmsg = NULL;
+ OtrlAuthInfo *auth = &(context->auth);
+ auth->authstate = OTRL_AUTHSTATE_NONE;
+ otrl_dh_keypair_init(&(auth->our_dh));
+ auth->our_keyid = 0;
+ auth->encgx = NULL;
+ auth->encgx_len = 0;
+ memset(auth->r, 0, 16);
+ memset(auth->hashgx, 0, 32);
+ auth->their_pub = NULL;
+ auth->their_keyid = 0;
+ auth->enc_c = NULL;
+ auth->enc_cp = NULL;
+ auth->mac_m1 = NULL;
+ auth->mac_m1p = NULL;
+ auth->mac_m2 = NULL;
+ auth->mac_m2p = NULL;
+ memset(auth->their_fingerprint, 0, 20);
+ auth->initiated = 0;
+ auth->protocol_version = 0;
+ memset(auth->secure_session_id, 0, 20);
+ auth->secure_session_id_len = 0;
+ auth->lastauthmsg = NULL;
+ auth->commit_sent_time = 0;
+ auth->context = context;
}
/*
@@ -61,135 +103,145 @@ void otrl_auth_new(OtrlAuthInfo *auth)
*/
void otrl_auth_clear(OtrlAuthInfo *auth)
{
- auth->authstate = OTRL_AUTHSTATE_NONE;
- otrl_dh_keypair_free(&(auth->our_dh));
- auth->our_keyid = 0;
- free(auth->encgx);
- auth->encgx = NULL;
- auth->encgx_len = 0;
- memset(auth->r, 0, 16);
- memset(auth->hashgx, 0, 32);
- gcry_mpi_release(auth->their_pub);
- auth->their_pub = NULL;
- auth->their_keyid = 0;
- gcry_cipher_close(auth->enc_c);
- gcry_cipher_close(auth->enc_cp);
- gcry_md_close(auth->mac_m1);
- gcry_md_close(auth->mac_m1p);
- gcry_md_close(auth->mac_m2);
- gcry_md_close(auth->mac_m2p);
- auth->enc_c = NULL;
- auth->enc_cp = NULL;
- auth->mac_m1 = NULL;
- auth->mac_m1p = NULL;
- auth->mac_m2 = NULL;
- auth->mac_m2p = NULL;
- memset(auth->their_fingerprint, 0, 20);
- auth->initiated = 0;
- auth->protocol_version = 0;
- memset(auth->secure_session_id, 0, 20);
- auth->secure_session_id_len = 0;
- free(auth->lastauthmsg);
- auth->lastauthmsg = NULL;
+ auth->authstate = OTRL_AUTHSTATE_NONE;
+ otrl_dh_keypair_free(&(auth->our_dh));
+ auth->our_keyid = 0;
+ free(auth->encgx);
+ auth->encgx = NULL;
+ auth->encgx_len = 0;
+ memset(auth->r, 0, 16);
+ memset(auth->hashgx, 0, 32);
+ gcry_mpi_release(auth->their_pub);
+ auth->their_pub = NULL;
+ auth->their_keyid = 0;
+ gcry_cipher_close(auth->enc_c);
+ gcry_cipher_close(auth->enc_cp);
+ gcry_md_close(auth->mac_m1);
+ gcry_md_close(auth->mac_m1p);
+ gcry_md_close(auth->mac_m2);
+ gcry_md_close(auth->mac_m2p);
+ auth->enc_c = NULL;
+ auth->enc_cp = NULL;
+ auth->mac_m1 = NULL;
+ auth->mac_m1p = NULL;
+ auth->mac_m2 = NULL;
+ auth->mac_m2p = NULL;
+ memset(auth->their_fingerprint, 0, 20);
+ auth->initiated = 0;
+ auth->protocol_version = 0;
+ memset(auth->secure_session_id, 0, 20);
+ auth->secure_session_id_len = 0;
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = NULL;
+ auth->commit_sent_time = 0;
}
/*
- * Start a fresh AKE (version 2) using the given OtrlAuthInfo. Generate
+ * Start a fresh AKE (version 2 or 3) using the given OtrlAuthInfo. Generate
* a fresh DH keypair to use. If no error is returned, the message to
* transmit will be contained in auth->lastauthmsg.
*/
-gcry_error_t otrl_auth_start_v2(OtrlAuthInfo *auth)
+gcry_error_t otrl_auth_start_v23(OtrlAuthInfo *auth, int version)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
- size_t npub;
- gcry_cipher_hd_t enc = NULL;
- unsigned char ctr[16];
- unsigned char *buf, *bufp;
- size_t buflen, lenp;
-
- /* Clear out this OtrlAuthInfo and start over */
- otrl_auth_clear(auth);
- auth->initiated = 1;
-
- otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
- auth->our_keyid = 1;
-
- /* Pick an encryption key */
- gcry_randomize(auth->r, 16, GCRY_STRONG_RANDOM);
-
- /* Allocate space for the encrypted g^x */
- gcry_mpi_print(format, NULL, 0, &npub, auth->our_dh.pub);
- auth->encgx = malloc(4+npub);
- if (auth->encgx == NULL) goto memerr;
- auth->encgx_len = 4+npub;
- bufp = auth->encgx;
- lenp = auth->encgx_len;
- write_mpi(auth->our_dh.pub, npub, "g^x");
- assert(lenp == 0);
-
- /* Hash g^x */
- gcry_md_hash_buffer(GCRY_MD_SHA256, auth->hashgx, auth->encgx,
- auth->encgx_len);
-
- /* Encrypt g^x using the key r */
- err = gcry_cipher_open(&enc, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR,
- GCRY_CIPHER_SECURE);
- if (err) goto err;
-
- err = gcry_cipher_setkey(enc, auth->r, 16);
- if (err) goto err;
-
- memset(ctr, 0, 16);
- err = gcry_cipher_setctr(enc, ctr, 16);
- if (err) goto err;
-
- err = gcry_cipher_encrypt(enc, auth->encgx, auth->encgx_len, NULL, 0);
- if (err) goto err;
-
- gcry_cipher_close(enc);
- enc = NULL;
-
- /* Now serialize the message */
- lenp = 3 + 4 + auth->encgx_len + 4 + 32;
- bufp = malloc(lenp);
- if (bufp == NULL) goto memerr;
- buf = bufp;
- buflen = lenp;
-
- memcpy(bufp, "\x00\x02\x02", 3); /* header */
- debug_data("Header", bufp, 3);
- bufp += 3; lenp -= 3;
-
- /* Encrypted g^x */
- write_int(auth->encgx_len);
- debug_int("Enc gx len", bufp-4);
- memcpy(bufp, auth->encgx, auth->encgx_len);
- debug_data("Enc gx", bufp, auth->encgx_len);
- bufp += auth->encgx_len; lenp -= auth->encgx_len;
-
- /* Hashed g^x */
- write_int(32);
- debug_int("hashgx len", bufp-4);
- memcpy(bufp, auth->hashgx, 32);
- debug_data("hashgx", bufp, 32);
- bufp += 32; lenp -= 32;
-
- assert(lenp == 0);
-
- auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
- free(buf);
- if (auth->lastauthmsg == NULL) goto memerr;
- auth->authstate = OTRL_AUTHSTATE_AWAITING_DHKEY;
-
- return err;
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ size_t npub;
+ gcry_cipher_hd_t enc = NULL;
+ unsigned char ctr[16];
+ unsigned char *buf, *bufp;
+ size_t buflen, lenp;
+
+ /* Clear out this OtrlAuthInfo and start over */
+ otrl_auth_clear(auth);
+ auth->initiated = 1;
+ auth->protocol_version = version;
+ auth->context->protocol_version = version;
+
+ otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
+ auth->our_keyid = 1;
+
+ /* Pick an encryption key */
+ gcry_randomize(auth->r, 16, GCRY_STRONG_RANDOM);
+
+ /* Allocate space for the encrypted g^x */
+ gcry_mpi_print(format, NULL, 0, &npub, auth->our_dh.pub);
+ auth->encgx = malloc(4+npub);
+ if (auth->encgx == NULL) goto memerr;
+ auth->encgx_len = 4+npub;
+ bufp = auth->encgx;
+ lenp = auth->encgx_len;
+ write_mpi(auth->our_dh.pub, npub, "g^x");
+ assert(lenp == 0);
+
+ /* Hash g^x */
+ gcry_md_hash_buffer(GCRY_MD_SHA256, auth->hashgx, auth->encgx,
+ auth->encgx_len);
+
+ /* Encrypt g^x using the key r */
+ err = gcry_cipher_open(&enc, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR,
+ GCRY_CIPHER_SECURE);
+ if (err) goto err;
+
+ err = gcry_cipher_setkey(enc, auth->r, 16);
+ if (err) goto err;
+
+ memset(ctr, 0, 16);
+ err = gcry_cipher_setctr(enc, ctr, 16);
+ if (err) goto err;
+
+ err = gcry_cipher_encrypt(enc, auth->encgx, auth->encgx_len, NULL, 0);
+ if (err) goto err;
+
+ gcry_cipher_close(enc);
+ enc = NULL;
+
+ /* Now serialize the message */
+ lenp = OTRL_HEADER_LEN + (auth->protocol_version == 3 ? 8 : 0) + 4
+ + auth->encgx_len + 4 + 32;
+ bufp = malloc(lenp);
+ if (bufp == NULL) goto memerr;
+ buf = bufp;
+ buflen = lenp;
+
+ /* Header */
+ write_header(auth->protocol_version, '\x02');
+ if (auth->protocol_version == 3) {
+ /* instance tags */
+ write_int(auth->context->our_instance);
+ debug_int("Sender instag", bufp-4);
+ write_int(auth->context->their_instance);
+ debug_int("Recipient instag", bufp-4);
+ }
+
+ /* Encrypted g^x */
+ write_int(auth->encgx_len);
+ debug_int("Enc gx len", bufp-4);
+ memmove(bufp, auth->encgx, auth->encgx_len);
+ debug_data("Enc gx", bufp, auth->encgx_len);
+ bufp += auth->encgx_len; lenp -= auth->encgx_len;
+
+ /* Hashed g^x */
+ write_int(32);
+ debug_int("hashgx len", bufp-4);
+ memmove(bufp, auth->hashgx, 32);
+ debug_data("hashgx", bufp, 32);
+ bufp += 32; lenp -= 32;
+
+ assert(lenp == 0);
+
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
+ free(buf);
+ if (auth->lastauthmsg == NULL) goto memerr;
+ auth->authstate = OTRL_AUTHSTATE_AWAITING_DHKEY;
+
+ return err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- otrl_auth_clear(auth);
- gcry_cipher_close(enc);
- return err;
+ otrl_auth_clear(auth);
+ gcry_cipher_close(enc);
+ return err;
}
/*
@@ -198,38 +250,44 @@ err:
*/
static gcry_error_t create_key_message(OtrlAuthInfo *auth)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
- unsigned char *buf, *bufp;
- size_t buflen, lenp;
- size_t npub;
-
- gcry_mpi_print(format, NULL, 0, &npub, auth->our_dh.pub);
- buflen = 3 + 4 + npub;
- buf = malloc(buflen);
- if (buf == NULL) goto memerr;
- bufp = buf;
- lenp = buflen;
-
- memcpy(bufp, "\x00\x02\x0a", 3); /* header */
- debug_data("Header", bufp, 3);
- bufp += 3; lenp -= 3;
-
- /* g^y */
- write_mpi(auth->our_dh.pub, npub, "g^y");
-
- assert(lenp == 0);
-
- free(auth->lastauthmsg);
- auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
- free(buf);
- if (auth->lastauthmsg == NULL) goto memerr;
-
- return err;
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ unsigned char *buf, *bufp;
+ size_t buflen, lenp;
+ size_t npub;
+
+ gcry_mpi_print(format, NULL, 0, &npub, auth->our_dh.pub);
+ buflen = OTRL_HEADER_LEN + (auth->protocol_version == 3 ? 8 : 0) + 4 + npub;
+ buf = malloc(buflen);
+ if (buf == NULL) goto memerr;
+ bufp = buf;
+ lenp = buflen;
+
+ /* header */
+ write_header(auth->protocol_version, '\x0a');
+ if (auth->protocol_version == 3) {
+ /* instance tags */
+ write_int(auth->context->our_instance);
+ debug_int("Sender instag", bufp-4);
+ write_int(auth->context->their_instance);
+ debug_int("Recipient instag", bufp-4);
+ }
+
+ /* g^y */
+ write_mpi(auth->our_dh.pub, npub, "g^y");
+
+ assert(lenp == 0);
+
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
+ free(buf);
+ if (auth->lastauthmsg == NULL) goto memerr;
+
+ return err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
- return err;
+ err = gcry_error(GPG_ERR_ENOMEM);
+ return err;
}
/*
@@ -238,112 +296,131 @@ memerr:
* keypair to use.
*/
gcry_error_t otrl_auth_handle_commit(OtrlAuthInfo *auth,
- const char *commitmsg)
+ const char *commitmsg, int version)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- unsigned char *buf = NULL, *bufp = NULL, *encbuf = NULL;
- unsigned char hashbuf[32];
- size_t buflen, lenp, enclen, hashlen;
- int res;
-
- res = otrl_base64_otr_decode(commitmsg, &buf, &buflen);
- if (res == -1) goto memerr;
- if (res == -2) goto invval;
-
- bufp = buf;
- lenp = buflen;
-
- /* Header */
- require_len(3);
- if (memcmp(bufp, "\x00\x02\x02", 3)) goto invval;
- bufp += 3; lenp -= 3;
-
- /* Encrypted g^x */
- read_int(enclen);
- require_len(enclen);
- encbuf = malloc(enclen);
- if (encbuf == NULL && enclen > 0) goto memerr;
- memcpy(encbuf, bufp, enclen);
- bufp += enclen; lenp -= enclen;
-
- /* Hashed g^x */
- read_int(hashlen);
- if (hashlen != 32) goto invval;
- require_len(32);
- memcpy(hashbuf, bufp, 32);
- bufp += 32; lenp -= 32;
-
- if (lenp != 0) goto invval;
- free(buf);
- buf = NULL;
-
- switch(auth->authstate) {
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL, *encbuf = NULL;
+ unsigned char hashbuf[32];
+ size_t buflen, lenp, enclen, hashlen;
+ int res;
+
+ /* Are we the auth for the master context? */
+ int is_master = (auth->context->m_context == auth->context);
+
+ res = otrl_base64_otr_decode(commitmsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
+
+ bufp = buf;
+ lenp = buflen;
+
+ /* Header */
+ auth->protocol_version = version;
+ auth->context->protocol_version = version;
+ skip_header('\x02');
+
+ if (version == 3) {
+ require_len(8);
+ bufp += 8; lenp -= 8;
+ }
+
+ /* Encrypted g^x */
+ read_int(enclen);
+ require_len(enclen);
+ encbuf = malloc(enclen);
+ if (encbuf == NULL && enclen > 0) goto memerr;
+ memmove(encbuf, bufp, enclen);
+ bufp += enclen; lenp -= enclen;
+
+ /* Hashed g^x */
+ read_int(hashlen);
+ if (hashlen != 32) goto invval;
+ require_len(32);
+ memmove(hashbuf, bufp, 32);
+ bufp += 32; lenp -= 32;
+
+ if (lenp != 0) goto invval;
+ free(buf);
+ buf = NULL;
+
+ switch(auth->authstate) {
case OTRL_AUTHSTATE_NONE:
case OTRL_AUTHSTATE_AWAITING_SIG:
case OTRL_AUTHSTATE_V1_SETUP:
+ /* Store the incoming information */
+ otrl_auth_clear(auth);
+ auth->protocol_version = version;
- /* Store the incoming information */
- otrl_auth_clear(auth);
- otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
- auth->our_keyid = 1;
- auth->encgx = encbuf;
- encbuf = NULL;
- auth->encgx_len = enclen;
- memcpy(auth->hashgx, hashbuf, 32);
+ otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
- /* Create a D-H Key Message */
- err = create_key_message(auth);
- if (err) goto err;
- auth->authstate = OTRL_AUTHSTATE_AWAITING_REVEALSIG;
+ auth->our_keyid = 1;
+ auth->encgx = encbuf;
+ encbuf = NULL;
+ auth->encgx_len = enclen;
+ memmove(auth->hashgx, hashbuf, 32);
- break;
+ /* Create a D-H Key Message */
+ err = create_key_message(auth);
+ if (err) goto err;
+ auth->authstate = OTRL_AUTHSTATE_AWAITING_REVEALSIG;
+ break;
case OTRL_AUTHSTATE_AWAITING_DHKEY:
- /* We sent a D-H Commit Message, and we also received one
- * back. Compare the hashgx values to see which one wins. */
- if (memcmp(auth->hashgx, hashbuf, 32) > 0) {
+ /* We sent a D-H Commit Message, and we also received one
+ * back. If we're the master context, then the keypair in here
+ * is probably stale; we just kept it around for a little
+ * while in case some other logged in instance of our buddy
+ * replied with a DHKEY message. In that case, use the
+ * incoming parameters. Otherwise, compare the hashgx
+ * values to see which one wins.
+ *
+ * This does NOT use constant time comparison because these
+ * are two public values thus don't need it. Also, this checks
+ * which pubkey is larger and not if they are the same. */
+ if (!is_master && memcmp(auth->hashgx, hashbuf, 32) > 0) {
/* Ours wins. Ignore the message we received, and just
* resend the same D-H Commit message again. */
free(encbuf);
encbuf = NULL;
- } else {
+ } else {
/* Ours loses. Use the incoming parameters instead. */
otrl_auth_clear(auth);
+ auth->protocol_version = version;
otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
auth->our_keyid = 1;
auth->encgx = encbuf;
encbuf = NULL;
auth->encgx_len = enclen;
- memcpy(auth->hashgx, hashbuf, 32);
+ memmove(auth->hashgx, hashbuf, 32);
/* Create a D-H Key Message */
err = create_key_message(auth);
if (err) goto err;
auth->authstate = OTRL_AUTHSTATE_AWAITING_REVEALSIG;
- }
- break;
+ }
+ break;
case OTRL_AUTHSTATE_AWAITING_REVEALSIG:
- /* Use the incoming parameters, but just retransmit the old
- * D-H Key Message. */
- free(auth->encgx);
- auth->encgx = encbuf;
- encbuf = NULL;
- auth->encgx_len = enclen;
- memcpy(auth->hashgx, hashbuf, 32);
- break;
- }
-
- return err;
+ /* Use the incoming parameters, but just retransmit the old
+ * D-H Key Message. */
+ free(auth->encgx);
+ auth->encgx = encbuf;
+ encbuf = NULL;
+ auth->encgx_len = enclen;
+ memmove(auth->hashgx, hashbuf, 32);
+ break;
+ }
+
+ return err;
invval:
- err = gcry_error(GPG_ERR_INV_VALUE);
- goto err;
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- free(encbuf);
- return err;
+ free(buf);
+ free(encbuf);
+ return err;
}
/*
@@ -358,92 +435,92 @@ static gcry_error_t calculate_pubkey_auth(unsigned char **authbufp,
gcry_mpi_t our_dh_pub, gcry_mpi_t their_dh_pub,
OtrlPrivKey *privkey, unsigned int keyid)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
- size_t ourpublen, theirpublen, totallen, lenp;
- unsigned char *buf = NULL, *bufp = NULL;
- unsigned char macbuf[32];
- unsigned char *sigbuf = NULL;
- size_t siglen;
-
- /* How big are the DH public keys? */
- gcry_mpi_print(format, NULL, 0, &ourpublen, our_dh_pub);
- gcry_mpi_print(format, NULL, 0, &theirpublen, their_dh_pub);
-
- /* How big is the total structure to be MAC'd? */
- totallen = 4 + ourpublen + 4 + theirpublen + 2 + privkey->pubkey_datalen
- + 4;
- buf = malloc(totallen);
- if (buf == NULL) goto memerr;
-
- bufp = buf;
- lenp = totallen;
-
- /* Write the data to be MAC'd */
- write_mpi(our_dh_pub, ourpublen, "Our DH pubkey");
- write_mpi(their_dh_pub, theirpublen, "Their DH pubkey");
- bufp[0] = ((privkey->pubkey_type) >> 8) & 0xff;
- bufp[1] = (privkey->pubkey_type) & 0xff;
- bufp += 2; lenp -= 2;
- memcpy(bufp, privkey->pubkey_data, privkey->pubkey_datalen);
- debug_data("Pubkey", bufp, privkey->pubkey_datalen);
- bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen;
- write_int(keyid);
- debug_int("Keyid", bufp-4);
-
- assert(lenp == 0);
-
- /* Do the MAC */
- gcry_md_reset(mackey);
- gcry_md_write(mackey, buf, totallen);
- memcpy(macbuf, gcry_md_read(mackey, GCRY_MD_SHA256), 32);
-
- free(buf);
- buf = NULL;
-
- /* Sign the MAC */
- err = otrl_privkey_sign(&sigbuf, &siglen, privkey, macbuf, 32);
- if (err) goto err;
-
- /* Calculate the total size of the structure to be encrypted */
- totallen = 2 + privkey->pubkey_datalen + 4 + siglen;
- buf = malloc(totallen);
- if (buf == NULL) goto memerr;
- bufp = buf;
- lenp = totallen;
-
- /* Write the data to be encrypted */
- bufp[0] = ((privkey->pubkey_type) >> 8) & 0xff;
- bufp[1] = (privkey->pubkey_type) & 0xff;
- bufp += 2; lenp -= 2;
- memcpy(bufp, privkey->pubkey_data, privkey->pubkey_datalen);
- debug_data("Pubkey", bufp, privkey->pubkey_datalen);
- bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen;
- write_int(keyid);
- debug_int("Keyid", bufp-4);
- memcpy(bufp, sigbuf, siglen);
- debug_data("Signature", bufp, siglen);
- bufp += siglen; lenp -= siglen;
- free(sigbuf);
- sigbuf = NULL;
-
- assert(lenp == 0);
-
- /* Now do the encryption */
- err = gcry_cipher_encrypt(enckey, buf, totallen, NULL, 0);
- if (err) goto err;
-
- *authbufp = buf;
- buf = NULL;
- *authlenp = totallen;
-
- return err;
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ size_t ourpublen, theirpublen, totallen, lenp;
+ unsigned char *buf = NULL, *bufp = NULL;
+ unsigned char macbuf[32];
+ unsigned char *sigbuf = NULL;
+ size_t siglen;
+
+ /* How big are the DH public keys? */
+ gcry_mpi_print(format, NULL, 0, &ourpublen, our_dh_pub);
+ gcry_mpi_print(format, NULL, 0, &theirpublen, their_dh_pub);
+
+ /* How big is the total structure to be MAC'd? */
+ totallen = 4 + ourpublen + 4 + theirpublen + 2 + privkey->pubkey_datalen
+ + 4;
+ buf = malloc(totallen);
+ if (buf == NULL) goto memerr;
+
+ bufp = buf;
+ lenp = totallen;
+
+ /* Write the data to be MAC'd */
+ write_mpi(our_dh_pub, ourpublen, "Our DH pubkey");
+ write_mpi(their_dh_pub, theirpublen, "Their DH pubkey");
+ bufp[0] = ((privkey->pubkey_type) >> 8) & 0xff;
+ bufp[1] = (privkey->pubkey_type) & 0xff;
+ bufp += 2; lenp -= 2;
+ memmove(bufp, privkey->pubkey_data, privkey->pubkey_datalen);
+ debug_data("Pubkey", bufp, privkey->pubkey_datalen);
+ bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen;
+ write_int(keyid);
+ debug_int("Keyid", bufp-4);
+
+ assert(lenp == 0);
+
+ /* Do the MAC */
+ gcry_md_reset(mackey);
+ gcry_md_write(mackey, buf, totallen);
+ memmove(macbuf, gcry_md_read(mackey, GCRY_MD_SHA256), 32);
+
+ free(buf);
+ buf = NULL;
+
+ /* Sign the MAC */
+ err = otrl_privkey_sign(&sigbuf, &siglen, privkey, macbuf, 32);
+ if (err) goto err;
+
+ /* Calculate the total size of the structure to be encrypted */
+ totallen = 2 + privkey->pubkey_datalen + 4 + siglen;
+ buf = malloc(totallen);
+ if (buf == NULL) goto memerr;
+ bufp = buf;
+ lenp = totallen;
+
+ /* Write the data to be encrypted */
+ bufp[0] = ((privkey->pubkey_type) >> 8) & 0xff;
+ bufp[1] = (privkey->pubkey_type) & 0xff;
+ bufp += 2; lenp -= 2;
+ memmove(bufp, privkey->pubkey_data, privkey->pubkey_datalen);
+ debug_data("Pubkey", bufp, privkey->pubkey_datalen);
+ bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen;
+ write_int(keyid);
+ debug_int("Keyid", bufp-4);
+ memmove(bufp, sigbuf, siglen);
+ debug_data("Signature", bufp, siglen);
+ bufp += siglen; lenp -= siglen;
+ free(sigbuf);
+ sigbuf = NULL;
+
+ assert(lenp == 0);
+
+ /* Now do the encryption */
+ err = gcry_cipher_encrypt(enckey, buf, totallen, NULL, 0);
+ if (err) goto err;
+
+ *authbufp = buf;
+ buf = NULL;
+ *authlenp = totallen;
+
+ return err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- free(sigbuf);
- return err;
+ free(buf);
+ free(sigbuf);
+ return err;
}
/*
@@ -458,107 +535,107 @@ static gcry_error_t check_pubkey_auth(unsigned char fingerprintbufp[20],
gcry_md_hd_t mackey, gcry_cipher_hd_t enckey,
gcry_mpi_t our_dh_pub, gcry_mpi_t their_dh_pub)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
- size_t ourpublen, theirpublen, totallen, lenp;
- unsigned char *buf = NULL, *bufp = NULL;
- unsigned char macbuf[32];
- unsigned short pubkey_type;
- gcry_mpi_t p,q,g,y;
- gcry_sexp_t pubs = NULL;
- unsigned int received_keyid;
- unsigned char *fingerprintstart, *fingerprintend, *sigbuf;
- size_t siglen;
-
- /* Start by decrypting it */
- err = gcry_cipher_decrypt(enckey, authbuf, authlen, NULL, 0);
- if (err) goto err;
-
- bufp = authbuf;
- lenp = authlen;
-
- /* Get the public key and calculate its fingerprint */
- require_len(2);
- pubkey_type = (bufp[0] << 8) + bufp[1];
- bufp += 2; lenp -= 2;
- if (pubkey_type != OTRL_PUBKEY_TYPE_DSA) goto invval;
- fingerprintstart = bufp;
- read_mpi(p);
- read_mpi(q);
- read_mpi(g);
- read_mpi(y);
- fingerprintend = bufp;
- gcry_md_hash_buffer(GCRY_MD_SHA1, fingerprintbufp,
- fingerprintstart, fingerprintend-fingerprintstart);
- gcry_sexp_build(&pubs, NULL,
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ size_t ourpublen, theirpublen, totallen, lenp;
+ unsigned char *buf = NULL, *bufp = NULL;
+ unsigned char macbuf[32];
+ unsigned short pubkey_type;
+ gcry_mpi_t p,q,g,y;
+ gcry_sexp_t pubs = NULL;
+ unsigned int received_keyid;
+ unsigned char *fingerprintstart, *fingerprintend, *sigbuf;
+ size_t siglen;
+
+ /* Start by decrypting it */
+ err = gcry_cipher_decrypt(enckey, authbuf, authlen, NULL, 0);
+ if (err) goto err;
+
+ bufp = authbuf;
+ lenp = authlen;
+
+ /* Get the public key and calculate its fingerprint */
+ require_len(2);
+ pubkey_type = (bufp[0] << 8) + bufp[1];
+ bufp += 2; lenp -= 2;
+ if (pubkey_type != OTRL_PUBKEY_TYPE_DSA) goto invval;
+ fingerprintstart = bufp;
+ read_mpi(p);
+ read_mpi(q);
+ read_mpi(g);
+ read_mpi(y);
+ fingerprintend = bufp;
+ gcry_md_hash_buffer(GCRY_MD_SHA1, fingerprintbufp,
+ fingerprintstart, fingerprintend-fingerprintstart);
+ gcry_sexp_build(&pubs, NULL,
"(public-key (dsa (p %m)(q %m)(g %m)(y %m)))", p, q, g, y);
- gcry_mpi_release(p);
- gcry_mpi_release(q);
- gcry_mpi_release(g);
- gcry_mpi_release(y);
+ gcry_mpi_release(p);
+ gcry_mpi_release(q);
+ gcry_mpi_release(g);
+ gcry_mpi_release(y);
- /* Get the keyid */
- read_int(received_keyid);
- if (received_keyid == 0) goto invval;
+ /* Get the keyid */
+ read_int(received_keyid);
+ if (received_keyid == 0) goto invval;
- /* Get the signature */
- sigbuf = bufp;
- siglen = lenp;
+ /* Get the signature */
+ sigbuf = bufp;
+ siglen = lenp;
- /* How big are the DH public keys? */
- gcry_mpi_print(format, NULL, 0, &ourpublen, our_dh_pub);
- gcry_mpi_print(format, NULL, 0, &theirpublen, their_dh_pub);
+ /* How big are the DH public keys? */
+ gcry_mpi_print(format, NULL, 0, &ourpublen, our_dh_pub);
+ gcry_mpi_print(format, NULL, 0, &theirpublen, their_dh_pub);
- /* Now calculate the message to be MAC'd. */
- totallen = 4 + ourpublen + 4 + theirpublen + 2 +
+ /* Now calculate the message to be MAC'd. */
+ totallen = 4 + ourpublen + 4 + theirpublen + 2 +
(fingerprintend - fingerprintstart) + 4;
- buf = malloc(totallen);
- if (buf == NULL) goto memerr;
-
- bufp = buf;
- lenp = totallen;
-
- write_mpi(their_dh_pub, theirpublen, "Their DH pubkey");
- write_mpi(our_dh_pub, ourpublen, "Our DH pubkey");
- bufp[0] = (pubkey_type >> 8) & 0xff;
- bufp[1] = pubkey_type & 0xff;
- bufp += 2; lenp -= 2;
- memcpy(bufp, fingerprintstart, fingerprintend - fingerprintstart);
- debug_data("Pubkey", bufp, fingerprintend - fingerprintstart);
- bufp += fingerprintend - fingerprintstart;
- lenp -= fingerprintend - fingerprintstart;
- write_int(received_keyid);
- debug_int("Keyid", bufp-4);
-
- assert(lenp == 0);
-
- /* Do the MAC */
- gcry_md_reset(mackey);
- gcry_md_write(mackey, buf, totallen);
- memcpy(macbuf, gcry_md_read(mackey, GCRY_MD_SHA256), 32);
-
- free(buf);
- buf = NULL;
-
- /* Verify the signature on the MAC */
- err = otrl_privkey_verify(sigbuf, siglen, pubkey_type, pubs, macbuf, 32);
- if (err) goto err;
- gcry_sexp_release(pubs);
- pubs = NULL;
-
- /* Everything checked out */
- *keyidp = received_keyid;
-
- return err;
+ buf = malloc(totallen);
+ if (buf == NULL) goto memerr;
+
+ bufp = buf;
+ lenp = totallen;
+
+ write_mpi(their_dh_pub, theirpublen, "Their DH pubkey");
+ write_mpi(our_dh_pub, ourpublen, "Our DH pubkey");
+ bufp[0] = (pubkey_type >> 8) & 0xff;
+ bufp[1] = pubkey_type & 0xff;
+ bufp += 2; lenp -= 2;
+ memmove(bufp, fingerprintstart, fingerprintend - fingerprintstart);
+ debug_data("Pubkey", bufp, fingerprintend - fingerprintstart);
+ bufp += fingerprintend - fingerprintstart;
+ lenp -= fingerprintend - fingerprintstart;
+ write_int(received_keyid);
+ debug_int("Keyid", bufp-4);
+
+ assert(lenp == 0);
+
+ /* Do the MAC */
+ gcry_md_reset(mackey);
+ gcry_md_write(mackey, buf, totallen);
+ memmove(macbuf, gcry_md_read(mackey, GCRY_MD_SHA256), 32);
+
+ free(buf);
+ buf = NULL;
+
+ /* Verify the signature on the MAC */
+ err = otrl_privkey_verify(sigbuf, siglen, pubkey_type, pubs, macbuf, 32);
+ if (err) goto err;
+ gcry_sexp_release(pubs);
+ pubs = NULL;
+
+ /* Everything checked out */
+ *keyidp = received_keyid;
+
+ return err;
invval:
- err = gcry_error(GPG_ERR_INV_VALUE);
- goto err;
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- gcry_sexp_release(pubs);
- return err;
+ free(buf);
+ gcry_sexp_release(pubs);
+ return err;
}
/*
@@ -569,67 +646,74 @@ err:
static gcry_error_t create_revealsig_message(OtrlAuthInfo *auth,
OtrlPrivKey *privkey)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- unsigned char *buf = NULL, *bufp, *startmac;
- size_t buflen, lenp;
-
- unsigned char *authbuf = NULL;
- size_t authlen;
-
- /* Get the encrypted authenticator */
- err = calculate_pubkey_auth(&authbuf, &authlen, auth->mac_m1, auth->enc_c,
- auth->our_dh.pub, auth->their_pub, privkey, auth->our_keyid);
- if (err) goto err;
-
- buflen = 3 + 4 + 16 + 4 + authlen + 20;
- buf = malloc(buflen);
- if (buf == NULL) goto memerr;
-
- bufp = buf;
- lenp = buflen;
-
- memcpy(bufp, "\x00\x02\x11", 3); /* header */
- debug_data("Header", bufp, 3);
- bufp += 3; lenp -= 3;
-
- /* r */
- write_int(16);
- memcpy(bufp, auth->r, 16);
- debug_data("r", bufp, 16);
- bufp += 16; lenp -= 16;
-
- /* Encrypted authenticator */
- startmac = bufp;
- write_int(authlen);
- memcpy(bufp, authbuf, authlen);
- debug_data("auth", bufp, authlen);
- bufp += authlen; lenp -= authlen;
- free(authbuf);
- authbuf = NULL;
-
- /* MAC it, but only take the first 20 bytes */
- gcry_md_reset(auth->mac_m2);
- gcry_md_write(auth->mac_m2, startmac, bufp - startmac);
- memcpy(bufp, gcry_md_read(auth->mac_m2, GCRY_MD_SHA256), 20);
- debug_data("MAC", bufp, 20);
- bufp += 20; lenp -= 20;
-
- assert(lenp == 0);
-
- free(auth->lastauthmsg);
- auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
- if (auth->lastauthmsg == NULL) goto memerr;
- free(buf);
- buf = NULL;
-
- return err;
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp, *startmac;
+ size_t buflen, lenp;
+
+ unsigned char *authbuf = NULL;
+ size_t authlen;
+
+ /* Get the encrypted authenticator */
+ err = calculate_pubkey_auth(&authbuf, &authlen, auth->mac_m1, auth->enc_c,
+ auth->our_dh.pub, auth->their_pub, privkey, auth->our_keyid);
+ if (err) goto err;
+
+ buflen = OTRL_HEADER_LEN + (auth->protocol_version == 3 ? 8 : 0) + 4 + 16
+ + 4 + authlen + 20;
+ buf = malloc(buflen);
+ if (buf == NULL) goto memerr;
+
+ bufp = buf;
+ lenp = buflen;
+
+ /* header */
+ write_header(auth->protocol_version, '\x11');
+ if (auth->protocol_version == 3) {
+ /* instance tags */
+ write_int(auth->context->our_instance);
+ debug_int("Sender instag", bufp-4);
+ write_int(auth->context->their_instance);
+ debug_int("Recipient instag", bufp-4);
+ }
+
+ /* r */
+ write_int(16);
+ memmove(bufp, auth->r, 16);
+ debug_data("r", bufp, 16);
+ bufp += 16; lenp -= 16;
+
+ /* Encrypted authenticator */
+ startmac = bufp;
+ write_int(authlen);
+ memmove(bufp, authbuf, authlen);
+ debug_data("auth", bufp, authlen);
+ bufp += authlen; lenp -= authlen;
+ free(authbuf);
+ authbuf = NULL;
+
+ /* MAC it, but only take the first 20 bytes */
+ gcry_md_reset(auth->mac_m2);
+ gcry_md_write(auth->mac_m2, startmac, bufp - startmac);
+ memmove(bufp, gcry_md_read(auth->mac_m2, GCRY_MD_SHA256), 20);
+ debug_data("MAC", bufp, 20);
+ bufp += 20; lenp -= 20;
+
+ assert(lenp == 0);
+
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
+ if (auth->lastauthmsg == NULL) goto memerr;
+ free(buf);
+ buf = NULL;
+
+ return err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- free(authbuf);
- return err;
+ free(buf);
+ free(authbuf);
+ return err;
}
/*
@@ -640,62 +724,69 @@ err:
static gcry_error_t create_signature_message(OtrlAuthInfo *auth,
OtrlPrivKey *privkey)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- unsigned char *buf = NULL, *bufp, *startmac;
- size_t buflen, lenp;
-
- unsigned char *authbuf = NULL;
- size_t authlen;
-
- /* Get the encrypted authenticator */
- err = calculate_pubkey_auth(&authbuf, &authlen, auth->mac_m1p,
- auth->enc_cp, auth->our_dh.pub, auth->their_pub, privkey,
- auth->our_keyid);
- if (err) goto err;
-
- buflen = 3 + 4 + authlen + 20;
- buf = malloc(buflen);
- if (buf == NULL) goto memerr;
-
- bufp = buf;
- lenp = buflen;
-
- memcpy(bufp, "\x00\x02\x12", 3); /* header */
- debug_data("Header", bufp, 3);
- bufp += 3; lenp -= 3;
-
- /* Encrypted authenticator */
- startmac = bufp;
- write_int(authlen);
- memcpy(bufp, authbuf, authlen);
- debug_data("auth", bufp, authlen);
- bufp += authlen; lenp -= authlen;
- free(authbuf);
- authbuf = NULL;
-
- /* MAC it, but only take the first 20 bytes */
- gcry_md_reset(auth->mac_m2p);
- gcry_md_write(auth->mac_m2p, startmac, bufp - startmac);
- memcpy(bufp, gcry_md_read(auth->mac_m2p, GCRY_MD_SHA256), 20);
- debug_data("MAC", bufp, 20);
- bufp += 20; lenp -= 20;
-
- assert(lenp == 0);
-
- free(auth->lastauthmsg);
- auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
- if (auth->lastauthmsg == NULL) goto memerr;
- free(buf);
- buf = NULL;
-
- return err;
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp, *startmac;
+ size_t buflen, lenp;
+
+ unsigned char *authbuf = NULL;
+ size_t authlen;
+
+ /* Get the encrypted authenticator */
+ err = calculate_pubkey_auth(&authbuf, &authlen, auth->mac_m1p,
+ auth->enc_cp, auth->our_dh.pub, auth->their_pub, privkey,
+ auth->our_keyid);
+ if (err) goto err;
+
+ buflen = OTRL_HEADER_LEN + (auth->protocol_version == 3 ? 8 : 0) + 4
+ + authlen + 20;
+ buf = malloc(buflen);
+ if (buf == NULL) goto memerr;
+
+ bufp = buf;
+ lenp = buflen;
+
+ /* header */
+ write_header(auth->protocol_version, '\x12');
+ if (auth->protocol_version == 3) {
+ /* instance tags */
+ write_int(auth->context->our_instance);
+ debug_int("Sender instag", bufp-4);
+ write_int(auth->context->their_instance);
+ debug_int("Recipient instag", bufp-4);
+ }
+
+ /* Encrypted authenticator */
+ startmac = bufp;
+ write_int(authlen);
+ memmove(bufp, authbuf, authlen);
+ debug_data("auth", bufp, authlen);
+ bufp += authlen; lenp -= authlen;
+ free(authbuf);
+ authbuf = NULL;
+
+ /* MAC it, but only take the first 20 bytes */
+ gcry_md_reset(auth->mac_m2p);
+ gcry_md_write(auth->mac_m2p, startmac, bufp - startmac);
+ memmove(bufp, gcry_md_read(auth->mac_m2p, GCRY_MD_SHA256), 20);
+ debug_data("MAC", bufp, 20);
+ bufp += 20; lenp -= 20;
+
+ assert(lenp == 0);
+
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
+ if (auth->lastauthmsg == NULL) goto memerr;
+ free(buf);
+ buf = NULL;
+
+ return err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- free(authbuf);
- return err;
+ free(buf);
+ free(authbuf);
+ return err;
}
/*
@@ -706,85 +797,99 @@ err:
gcry_error_t otrl_auth_handle_key(OtrlAuthInfo *auth, const char *keymsg,
int *havemsgp, OtrlPrivKey *privkey)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- unsigned char *buf = NULL, *bufp = NULL;
- size_t buflen, lenp;
- gcry_mpi_t incoming_pub = NULL;
- int res;
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL;
+ size_t buflen, lenp;
+ gcry_mpi_t incoming_pub = NULL;
+ int res;
+ unsigned int msg_version;
- *havemsgp = 0;
+ *havemsgp = 0;
- res = otrl_base64_otr_decode(keymsg, &buf, &buflen);
- if (res == -1) goto memerr;
- if (res == -2) goto invval;
+ msg_version = otrl_proto_message_version(keymsg);
- bufp = buf;
- lenp = buflen;
+ res = otrl_base64_otr_decode(keymsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
- /* Header */
- if (memcmp(bufp, "\x00\x02\x0a", 3)) goto invval;
- bufp += 3; lenp -= 3;
+ bufp = buf;
+ lenp = buflen;
- /* g^y */
- read_mpi(incoming_pub);
+ /* Header */
+ skip_header('\x0a');
- if (lenp != 0) goto invval;
- free(buf);
- buf = NULL;
+ if (msg_version == 3) {
+ require_len(8);
+ bufp += 8; lenp -= 8;
+ }
- switch(auth->authstate) {
- case OTRL_AUTHSTATE_AWAITING_DHKEY:
- /* Store the incoming public key */
- gcry_mpi_release(auth->their_pub);
- auth->their_pub = incoming_pub;
- incoming_pub = NULL;
-
- /* Compute the encryption and MAC keys */
- err = otrl_dh_compute_v2_auth_keys(&(auth->our_dh),
- auth->their_pub, auth->secure_session_id,
- &(auth->secure_session_id_len),
- &(auth->enc_c), &(auth->enc_cp),
- &(auth->mac_m1), &(auth->mac_m1p),
- &(auth->mac_m2), &(auth->mac_m2p));
- if (err) goto err;
+ /* g^y */
+ read_mpi(incoming_pub);
- /* Create the Reveal Signature Message */
- err = create_revealsig_message(auth, privkey);
- if (err) goto err;
- *havemsgp = 1;
- auth->authstate = OTRL_AUTHSTATE_AWAITING_SIG;
+ if (lenp != 0) goto invval;
+ free(buf);
+ buf = NULL;
- break;
+ switch(auth->authstate) {
+ case OTRL_AUTHSTATE_AWAITING_DHKEY:
+ /* The other party may also be establishing a session with
+ another instance running a different version. Ignore any
+ DHKEY messages we aren't expecting. */
+ if (msg_version != auth->protocol_version) {
+ goto err;
+ }
+
+ /* Store the incoming public key */
+ gcry_mpi_release(auth->their_pub);
+ auth->their_pub = incoming_pub;
+ incoming_pub = NULL;
+
+ /* Compute the encryption and MAC keys */
+ err = otrl_dh_compute_v2_auth_keys(&(auth->our_dh),
+ auth->their_pub, auth->secure_session_id,
+ &(auth->secure_session_id_len),
+ &(auth->enc_c), &(auth->enc_cp),
+ &(auth->mac_m1), &(auth->mac_m1p),
+ &(auth->mac_m2), &(auth->mac_m2p));
+ if (err) goto err;
+
+ /* Create the Reveal Signature Message */
+ err = create_revealsig_message(auth, privkey);
+ if (err) goto err;
+ *havemsgp = 1;
+ auth->authstate = OTRL_AUTHSTATE_AWAITING_SIG;
+
+ break;
case OTRL_AUTHSTATE_AWAITING_SIG:
- if (gcry_mpi_cmp(incoming_pub, auth->their_pub) == 0) {
+ if (gcry_mpi_cmp(incoming_pub, auth->their_pub) == 0) {
/* Retransmit the Reveal Signature Message */
*havemsgp = 1;
- } else {
+ } else {
/* Ignore this message */
*havemsgp = 0;
- }
- break;
+ }
+ break;
case OTRL_AUTHSTATE_NONE:
case OTRL_AUTHSTATE_AWAITING_REVEALSIG:
case OTRL_AUTHSTATE_V1_SETUP:
- /* Ignore this message */
- *havemsgp = 0;
- break;
- }
+ /* Ignore this message */
+ *havemsgp = 0;
+ break;
+ }
- gcry_mpi_release(incoming_pub);
- return err;
+ gcry_mpi_release(incoming_pub);
+ return err;
invval:
- err = gcry_error(GPG_ERR_INV_VALUE);
- goto err;
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- gcry_mpi_release(incoming_pub);
- return err;
+ free(buf);
+ gcry_mpi_release(incoming_pub);
+ return err;
}
/*
@@ -799,162 +904,172 @@ gcry_error_t otrl_auth_handle_revealsig(OtrlAuthInfo *auth,
gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata),
void *asdata)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- unsigned char *buf = NULL, *bufp = NULL, *gxbuf = NULL;
- unsigned char *authstart, *authend, *macstart;
- size_t buflen, lenp, rlen, authlen;
- gcry_cipher_hd_t enc = NULL;
- gcry_mpi_t incoming_pub = NULL;
- unsigned char ctr[16], hashbuf[32];
- int res;
-
- *havemsgp = 0;
-
- res = otrl_base64_otr_decode(revealmsg, &buf, &buflen);
- if (res == -1) goto memerr;
- if (res == -2) goto invval;
-
- bufp = buf;
- lenp = buflen;
-
- /* Header */
- if (memcmp(bufp, "\x00\x02\x11", 3)) goto invval;
- bufp += 3; lenp -= 3;
-
- /* r */
- read_int(rlen);
- if (rlen != 16) goto invval;
- require_len(rlen);
- memcpy(auth->r, bufp, rlen);
- bufp += rlen; lenp -= rlen;
-
- /* auth */
- authstart = bufp;
- read_int(authlen);
- require_len(authlen);
- bufp += authlen; lenp -= authlen;
- authend = bufp;
-
- /* MAC */
- require_len(20);
- macstart = bufp;
- bufp += 20; lenp -= 20;
-
- if (lenp != 0) goto invval;
-
- switch(auth->authstate) {
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL, *gxbuf = NULL;
+ unsigned char *authstart, *authend, *macstart;
+ size_t buflen, lenp, rlen, authlen;
+ gcry_cipher_hd_t enc = NULL;
+ gcry_mpi_t incoming_pub = NULL;
+ unsigned char ctr[16], hashbuf[32];
+ int res;
+ unsigned char version;
+
+ *havemsgp = 0;
+
+ res = otrl_base64_otr_decode(revealmsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
+
+ bufp = buf;
+ lenp = buflen;
+
+ require_len(3);
+ version = bufp[1];
+
+ /* Header */
+ skip_header('\x11');
+
+ if (version == 3) {
+ require_len(8);
+ bufp += 8; lenp -= 8;
+ }
+
+ /* r */
+ read_int(rlen);
+ if (rlen != 16) goto invval;
+ require_len(rlen);
+ memmove(auth->r, bufp, rlen);
+ bufp += rlen; lenp -= rlen;
+
+ /* auth */
+ authstart = bufp;
+ read_int(authlen);
+ require_len(authlen);
+ bufp += authlen; lenp -= authlen;
+ authend = bufp;
+
+ /* MAC */
+ require_len(20);
+ macstart = bufp;
+ bufp += 20; lenp -= 20;
+
+ if (lenp != 0) goto invval;
+
+ switch(auth->authstate) {
case OTRL_AUTHSTATE_AWAITING_REVEALSIG:
- gxbuf = malloc(auth->encgx_len);
- if (auth->encgx_len && gxbuf == NULL) goto memerr;
-
- /* Use r to decrypt the value of g^x we received earlier */
- err = gcry_cipher_open(&enc, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR,
- GCRY_CIPHER_SECURE);
- if (err) goto err;
-
- err = gcry_cipher_setkey(enc, auth->r, 16);
- if (err) goto err;
-
- memset(ctr, 0, 16);
- err = gcry_cipher_setctr(enc, ctr, 16);
- if (err) goto err;
-
- err = gcry_cipher_decrypt(enc, gxbuf, auth->encgx_len,
- auth->encgx, auth->encgx_len);
- if (err) goto err;
-
- gcry_cipher_close(enc);
- enc = NULL;
-
- /* Check the hash */
- gcry_md_hash_buffer(GCRY_MD_SHA256, hashbuf, gxbuf,
- auth->encgx_len);
- if (memcmp(hashbuf, auth->hashgx, 32)) goto decfail;
-
- /* Extract g^x */
- bufp = gxbuf;
- lenp = auth->encgx_len;
-
- read_mpi(incoming_pub);
- free(gxbuf);
- gxbuf = NULL;
-
- if (lenp != 0) goto invval;
-
- gcry_mpi_release(auth->their_pub);
- auth->their_pub = incoming_pub;
- incoming_pub = NULL;
-
- /* Compute the encryption and MAC keys */
- err = otrl_dh_compute_v2_auth_keys(&(auth->our_dh),
- auth->their_pub, auth->secure_session_id,
- &(auth->secure_session_id_len),
- &(auth->enc_c), &(auth->enc_cp),
- &(auth->mac_m1), &(auth->mac_m1p),
- &(auth->mac_m2), &(auth->mac_m2p));
- if (err) goto err;
-
- /* Check the MAC */
- gcry_md_reset(auth->mac_m2);
- gcry_md_write(auth->mac_m2, authstart, authend - authstart);
- if (memcmp(macstart,
+ gxbuf = malloc(auth->encgx_len);
+ if (auth->encgx_len && gxbuf == NULL) goto memerr;
+
+ /* Use r to decrypt the value of g^x we received earlier */
+ err = gcry_cipher_open(&enc, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR,
+ GCRY_CIPHER_SECURE);
+ if (err) goto err;
+
+ err = gcry_cipher_setkey(enc, auth->r, 16);
+ if (err) goto err;
+
+ memset(ctr, 0, 16);
+ err = gcry_cipher_setctr(enc, ctr, 16);
+ if (err) goto err;
+
+ err = gcry_cipher_decrypt(enc, gxbuf, auth->encgx_len,
+ auth->encgx, auth->encgx_len);
+ if (err) goto err;
+
+ gcry_cipher_close(enc);
+ enc = NULL;
+
+ /* Check the hash */
+ gcry_md_hash_buffer(GCRY_MD_SHA256, hashbuf, gxbuf,
+ auth->encgx_len);
+ /* This isn't comparing secret data, but may as well use the
+ * constant-time version. */
+ if (otrl_mem_differ(hashbuf, auth->hashgx, 32)) goto decfail;
+
+ /* Extract g^x */
+ bufp = gxbuf;
+ lenp = auth->encgx_len;
+
+ read_mpi(incoming_pub);
+ free(gxbuf);
+ gxbuf = NULL;
+
+ if (lenp != 0) goto invval;
+
+ gcry_mpi_release(auth->their_pub);
+ auth->their_pub = incoming_pub;
+ incoming_pub = NULL;
+
+ /* Compute the encryption and MAC keys */
+ err = otrl_dh_compute_v2_auth_keys(&(auth->our_dh),
+ auth->their_pub, auth->secure_session_id,
+ &(auth->secure_session_id_len),
+ &(auth->enc_c), &(auth->enc_cp),
+ &(auth->mac_m1), &(auth->mac_m1p),
+ &(auth->mac_m2), &(auth->mac_m2p));
+ if (err) goto err;
+
+ /* Check the MAC */
+ gcry_md_reset(auth->mac_m2);
+ gcry_md_write(auth->mac_m2, authstart, authend - authstart);
+
+ if (otrl_mem_differ(macstart,
gcry_md_read(auth->mac_m2, GCRY_MD_SHA256),
20)) goto invval;
- /* Check the auth */
- err = check_pubkey_auth(auth->their_fingerprint,
- &(auth->their_keyid), authstart + 4,
- authend - authstart - 4, auth->mac_m1, auth->enc_c,
- auth->our_dh.pub, auth->their_pub);
- if (err) goto err;
-
- authstart = NULL;
- authend = NULL;
- macstart = NULL;
- free(buf);
- buf = NULL;
-
- /* Create the Signature Message */
- err = create_signature_message(auth, privkey);
- if (err) goto err;
-
- /* No error? Then we've completed our end of the
- * authentication. */
- auth->protocol_version = 2;
- auth->session_id_half = OTRL_SESSIONID_SECOND_HALF_BOLD;
- if (auth_succeeded) err = auth_succeeded(auth, asdata);
- *havemsgp = 1;
- auth->our_keyid = 0;
- auth->authstate = OTRL_AUTHSTATE_NONE;
-
- break;
+ /* Check the auth */
+ err = check_pubkey_auth(auth->their_fingerprint,
+ &(auth->their_keyid), authstart + 4,
+ authend - authstart - 4, auth->mac_m1, auth->enc_c,
+ auth->our_dh.pub, auth->their_pub);
+ if (err) goto err;
+
+ authstart = NULL;
+ authend = NULL;
+ macstart = NULL;
+ free(buf);
+ buf = NULL;
+
+ /* Create the Signature Message */
+ err = create_signature_message(auth, privkey);
+ if (err) goto err;
+
+ /* No error? Then we've completed our end of the
+ * authentication. */
+ auth->session_id_half = OTRL_SESSIONID_SECOND_HALF_BOLD;
+ if (auth_succeeded) err = auth_succeeded(auth, asdata);
+ *havemsgp = 1;
+ auth->our_keyid = 0;
+ auth->authstate = OTRL_AUTHSTATE_NONE;
+
+ break;
case OTRL_AUTHSTATE_NONE:
case OTRL_AUTHSTATE_AWAITING_DHKEY:
case OTRL_AUTHSTATE_AWAITING_SIG:
case OTRL_AUTHSTATE_V1_SETUP:
- /* Ignore this message */
- *havemsgp = 0;
- free(buf);
- buf = NULL;
- break;
- }
+ /* Ignore this message */
+ *havemsgp = 0;
+ free(buf);
+ buf = NULL;
+ break;
+ }
- return err;
+ return err;
decfail:
- err = gcry_error(GPG_ERR_NO_ERROR);
- goto err;
+ err = gcry_error(GPG_ERR_NO_ERROR);
+ goto err;
invval:
- err = gcry_error(GPG_ERR_INV_VALUE);
- goto err;
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- free(gxbuf);
- gcry_cipher_close(enc);
- gcry_mpi_release(incoming_pub);
- return err;
+ free(buf);
+ free(gxbuf);
+ gcry_cipher_close(enc);
+ gcry_mpi_release(incoming_pub);
+ return err;
}
/*
@@ -968,92 +1083,101 @@ gcry_error_t otrl_auth_handle_signature(OtrlAuthInfo *auth,
gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata),
void *asdata)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- unsigned char *buf = NULL, *bufp = NULL;
- unsigned char *authstart, *authend, *macstart;
- size_t buflen, lenp, authlen;
- int res;
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL;
+ unsigned char *authstart, *authend, *macstart;
+ size_t buflen, lenp, authlen;
+ int res;
+ unsigned char version;
- *havemsgp = 0;
+ *havemsgp = 0;
+
+ res = otrl_base64_otr_decode(sigmsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
+
+ bufp = buf;
+ lenp = buflen;
- res = otrl_base64_otr_decode(sigmsg, &buf, &buflen);
- if (res == -1) goto memerr;
- if (res == -2) goto invval;
+ require_len(3);
+ version = bufp[1];
- bufp = buf;
- lenp = buflen;
+ /* Header */
+ skip_header('\x12');
- /* Header */
- if (memcmp(bufp, "\x00\x02\x12", 3)) goto invval;
- bufp += 3; lenp -= 3;
+ if (version == 3) {
+ require_len(8);
+ bufp += 8; lenp -= 8;
+ }
- /* auth */
- authstart = bufp;
- read_int(authlen);
- require_len(authlen);
- bufp += authlen; lenp -= authlen;
- authend = bufp;
+ /* auth */
+ authstart = bufp;
+ read_int(authlen);
+ require_len(authlen);
+ bufp += authlen; lenp -= authlen;
+ authend = bufp;
- /* MAC */
- require_len(20);
- macstart = bufp;
- bufp += 20; lenp -= 20;
+ /* MAC */
+ require_len(20);
+ macstart = bufp;
+ bufp += 20; lenp -= 20;
- if (lenp != 0) goto invval;
+ if (lenp != 0) goto invval;
- switch(auth->authstate) {
+ switch(auth->authstate) {
case OTRL_AUTHSTATE_AWAITING_SIG:
- /* Check the MAC */
- gcry_md_reset(auth->mac_m2p);
- gcry_md_write(auth->mac_m2p, authstart, authend - authstart);
- if (memcmp(macstart,
+ /* Check the MAC */
+ gcry_md_reset(auth->mac_m2p);
+ gcry_md_write(auth->mac_m2p, authstart, authend - authstart);
+ if (otrl_mem_differ(macstart,
gcry_md_read(auth->mac_m2p, GCRY_MD_SHA256),
20)) goto invval;
- /* Check the auth */
- err = check_pubkey_auth(auth->their_fingerprint,
- &(auth->their_keyid), authstart + 4,
- authend - authstart - 4, auth->mac_m1p, auth->enc_cp,
- auth->our_dh.pub, auth->their_pub);
- if (err) goto err;
-
- authstart = NULL;
- authend = NULL;
- macstart = NULL;
- free(buf);
- buf = NULL;
-
- /* No error? Then we've completed our end of the
- * authentication. */
- auth->protocol_version = 2;
- auth->session_id_half = OTRL_SESSIONID_FIRST_HALF_BOLD;
- if (auth_succeeded) err = auth_succeeded(auth, asdata);
- free(auth->lastauthmsg);
- auth->lastauthmsg = NULL;
- *havemsgp = 1;
- auth->our_keyid = 0;
- auth->authstate = OTRL_AUTHSTATE_NONE;
-
- break;
+ /* Check the auth */
+ err = check_pubkey_auth(auth->their_fingerprint,
+ &(auth->their_keyid), authstart + 4,
+ authend - authstart - 4, auth->mac_m1p, auth->enc_cp,
+ auth->our_dh.pub, auth->their_pub);
+ if (err) goto err;
+
+ authstart = NULL;
+ authend = NULL;
+ macstart = NULL;
+ free(buf);
+ buf = NULL;
+
+ /* No error? Then we've completed our end of the
+ * authentication. */
+ auth->session_id_half = OTRL_SESSIONID_FIRST_HALF_BOLD;
+ if (auth_succeeded) err = auth_succeeded(auth, asdata);
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = NULL;
+ *havemsgp = 0;
+ auth->our_keyid = 0;
+ auth->authstate = OTRL_AUTHSTATE_NONE;
+
+ break;
case OTRL_AUTHSTATE_NONE:
case OTRL_AUTHSTATE_AWAITING_DHKEY:
case OTRL_AUTHSTATE_AWAITING_REVEALSIG:
case OTRL_AUTHSTATE_V1_SETUP:
- /* Ignore this message */
- *havemsgp = 0;
- break;
- }
+ /* Ignore this message */
+ *havemsgp = 0;
+ free(buf);
+ buf = NULL;
+ break;
+ }
- return err;
+ return err;
invval:
- err = gcry_error(GPG_ERR_INV_VALUE);
- goto err;
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- return err;
+ free(buf);
+ return err;
}
/* Version 1 routines, for compatibility */
@@ -1066,75 +1190,75 @@ err:
static gcry_error_t create_v1_key_exchange_message(OtrlAuthInfo *auth,
unsigned char reply, OtrlPrivKey *privkey)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
- unsigned char *buf = NULL, *bufp = NULL, *sigbuf = NULL;
- size_t lenp, ourpublen, totallen, siglen;
- unsigned char hashbuf[20];
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ unsigned char *buf = NULL, *bufp = NULL, *sigbuf = NULL;
+ size_t lenp, ourpublen, totallen, siglen;
+ unsigned char hashbuf[20];
- if (privkey->pubkey_type != OTRL_PUBKEY_TYPE_DSA) {
+ if (privkey->pubkey_type != OTRL_PUBKEY_TYPE_DSA) {
return gpg_error(GPG_ERR_INV_VALUE);
- }
+ }
- /* How big is the DH public key? */
- gcry_mpi_print(format, NULL, 0, &ourpublen, auth->our_dh.pub);
+ /* How big is the DH public key? */
+ gcry_mpi_print(format, NULL, 0, &ourpublen, auth->our_dh.pub);
- totallen = 3 + 1 + privkey->pubkey_datalen + 4 + 4 + ourpublen + 40;
- buf = malloc(totallen);
- if (buf == NULL) goto memerr;
+ totallen = 3 + 1 + privkey->pubkey_datalen + 4 + 4 + ourpublen + 40;
+ buf = malloc(totallen);
+ if (buf == NULL) goto memerr;
- bufp = buf;
- lenp = totallen;
+ bufp = buf;
+ lenp = totallen;
- memcpy(bufp, "\x00\x01\x0a", 3); /* header */
- debug_data("Header", bufp, 3);
- bufp += 3; lenp -= 3;
+ memmove(bufp, "\x00\x01\x0a", 3); /* header */
+ debug_data("Header", bufp, 3);
+ bufp += 3; lenp -= 3;
- bufp[0] = reply;
- debug_data("Reply", bufp, 1);
- bufp += 1; lenp -= 1;
+ bufp[0] = reply;
+ debug_data("Reply", bufp, 1);
+ bufp += 1; lenp -= 1;
- memcpy(bufp, privkey->pubkey_data, privkey->pubkey_datalen);
- debug_data("Pubkey", bufp, privkey->pubkey_datalen);
- bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen;
+ memmove(bufp, privkey->pubkey_data, privkey->pubkey_datalen);
+ debug_data("Pubkey", bufp, privkey->pubkey_datalen);
+ bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen;
- write_int(auth->our_keyid);
- debug_int("Keyid", bufp-4);
+ write_int(auth->our_keyid);
+ debug_int("Keyid", bufp-4);
- write_mpi(auth->our_dh.pub, ourpublen, "D-H y");
+ write_mpi(auth->our_dh.pub, ourpublen, "D-H y");
- /* Hash all the data written so far, and sign the hash */
- gcry_md_hash_buffer(GCRY_MD_SHA1, hashbuf, buf, bufp - buf);
+ /* Hash all the data written so far, and sign the hash */
+ gcry_md_hash_buffer(GCRY_MD_SHA1, hashbuf, buf, bufp - buf);
- err = otrl_privkey_sign(&sigbuf, &siglen, privkey, hashbuf, 20);
- if (err) goto err;
+ err = otrl_privkey_sign(&sigbuf, &siglen, privkey, hashbuf, 20);
+ if (err) goto err;
- if (siglen != 40) goto invval;
- memcpy(bufp, sigbuf, 40);
- debug_data("Signature", bufp, 40);
- bufp += 40; lenp -= 40;
- free(sigbuf);
- sigbuf = NULL;
+ if (siglen != 40) goto invval;
+ memmove(bufp, sigbuf, 40);
+ debug_data("Signature", bufp, 40);
+ bufp += 40; lenp -= 40;
+ free(sigbuf);
+ sigbuf = NULL;
- assert(lenp == 0);
+ assert(lenp == 0);
- free(auth->lastauthmsg);
- auth->lastauthmsg = otrl_base64_otr_encode(buf, totallen);
- if (auth->lastauthmsg == NULL) goto memerr;
- free(buf);
- buf = NULL;
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, totallen);
+ if (auth->lastauthmsg == NULL) goto memerr;
+ free(buf);
+ buf = NULL;
- return err;
+ return err;
invval:
- err = gcry_error(GPG_ERR_INV_VALUE);
- goto err;
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- free(sigbuf);
- return err;
+ free(buf);
+ free(sigbuf);
+ return err;
}
/*
@@ -1147,27 +1271,28 @@ err:
gcry_error_t otrl_auth_start_v1(OtrlAuthInfo *auth, DH_keypair *our_dh,
unsigned int our_keyid, OtrlPrivKey *privkey)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- /* Clear out this OtrlAuthInfo and start over */
- otrl_auth_clear(auth);
- auth->initiated = 1;
+ /* Clear out this OtrlAuthInfo and start over */
+ otrl_auth_clear(auth);
+ auth->initiated = 1;
+ auth->protocol_version = 1;
- /* Import the given DH keypair, or else create a fresh one */
- if (our_dh) {
+ /* Import the given DH keypair, or else create a fresh one */
+ if (our_dh) {
otrl_dh_keypair_copy(&(auth->our_dh), our_dh);
auth->our_keyid = our_keyid;
- } else {
+ } else {
otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
auth->our_keyid = 1;
- }
+ }
- err = create_v1_key_exchange_message(auth, 0, privkey);
- if (!err) {
+ err = create_v1_key_exchange_message(auth, 0, privkey);
+ if (!err) {
auth->authstate = OTRL_AUTHSTATE_V1_SETUP;
- }
+ }
- return err;
+ return err;
}
/*
@@ -1184,230 +1309,265 @@ gcry_error_t otrl_auth_handle_v1_key_exchange(OtrlAuthInfo *auth,
gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata),
void *asdata)
{
- gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
- unsigned char *buf = NULL, *bufp = NULL;
- unsigned char *fingerprintstart, *fingerprintend;
- unsigned char fingerprintbuf[20], hashbuf[20];
- gcry_mpi_t p, q, g, y, received_pub = NULL;
- gcry_sexp_t pubs = NULL;
- size_t buflen, lenp;
- unsigned char received_reply;
- unsigned int received_keyid;
- int res;
-
- *havemsgp = 0;
-
- res = otrl_base64_otr_decode(keyexchmsg, &buf, &buflen);
- if (res == -1) goto memerr;
- if (res == -2) goto invval;
-
- bufp = buf;
- lenp = buflen;
-
- /* Header */
- require_len(3);
- if (memcmp(bufp, "\x00\x01\x0a", 3)) goto invval;
- bufp += 3; lenp -= 3;
-
- /* Reply */
- require_len(1);
- received_reply = bufp[0];
- bufp += 1; lenp -= 1;
-
- /* Public Key */
- fingerprintstart = bufp;
- read_mpi(p);
- read_mpi(q);
- read_mpi(g);
- read_mpi(y);
- fingerprintend = bufp;
- gcry_md_hash_buffer(GCRY_MD_SHA1, fingerprintbuf,
- fingerprintstart, fingerprintend-fingerprintstart);
- gcry_sexp_build(&pubs, NULL,
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL;
+ unsigned char *fingerprintstart, *fingerprintend;
+ unsigned char fingerprintbuf[20], hashbuf[20];
+ gcry_mpi_t p, q, g, y, received_pub = NULL;
+ gcry_sexp_t pubs = NULL;
+ size_t buflen, lenp;
+ unsigned char received_reply;
+ unsigned int received_keyid;
+ int res;
+
+ *havemsgp = 0;
+
+ res = otrl_base64_otr_decode(keyexchmsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
+
+ bufp = buf;
+ lenp = buflen;
+
+ /* Header */
+ require_len(3);
+ if (memcmp(bufp, "\x00\x01\x0a", 3)) goto invval;
+ bufp += 3; lenp -= 3;
+
+ /* Reply */
+ require_len(1);
+ received_reply = bufp[0];
+ bufp += 1; lenp -= 1;
+
+ /* Public Key */
+ fingerprintstart = bufp;
+ read_mpi(p);
+ read_mpi(q);
+ read_mpi(g);
+ read_mpi(y);
+ fingerprintend = bufp;
+ gcry_md_hash_buffer(GCRY_MD_SHA1, fingerprintbuf,
+ fingerprintstart, fingerprintend-fingerprintstart);
+ gcry_sexp_build(&pubs, NULL,
"(public-key (dsa (p %m)(q %m)(g %m)(y %m)))", p, q, g, y);
- gcry_mpi_release(p);
- gcry_mpi_release(q);
- gcry_mpi_release(g);
- gcry_mpi_release(y);
-
- /* keyid */
- read_int(received_keyid);
- if (received_keyid == 0) goto invval;
-
- /* D-H pubkey */
- read_mpi(received_pub);
-
- /* Verify the signature */
- if (lenp != 40) goto invval;
- gcry_md_hash_buffer(GCRY_MD_SHA1, hashbuf, buf, bufp - buf);
- err = otrl_privkey_verify(bufp, lenp, OTRL_PUBKEY_TYPE_DSA,
- pubs, hashbuf, 20);
- if (err) goto err;
- gcry_sexp_release(pubs);
- pubs = NULL;
- free(buf);
- buf = NULL;
-
- if (auth->authstate != OTRL_AUTHSTATE_V1_SETUP && received_reply == 0x01) {
+ gcry_mpi_release(p);
+ gcry_mpi_release(q);
+ gcry_mpi_release(g);
+ gcry_mpi_release(y);
+
+ /* keyid */
+ read_int(received_keyid);
+ if (received_keyid == 0) goto invval;
+
+ /* D-H pubkey */
+ read_mpi(received_pub);
+
+ /* Verify the signature */
+ if (lenp != 40) goto invval;
+ gcry_md_hash_buffer(GCRY_MD_SHA1, hashbuf, buf, bufp - buf);
+ err = otrl_privkey_verify(bufp, lenp, OTRL_PUBKEY_TYPE_DSA,
+ pubs, hashbuf, 20);
+ if (err) goto err;
+ gcry_sexp_release(pubs);
+ pubs = NULL;
+ free(buf);
+ buf = NULL;
+
+ if (auth->authstate != OTRL_AUTHSTATE_V1_SETUP && received_reply == 0x01) {
/* They're replying to something we never sent. We must be
* logged in more than once; ignore the message. */
err = gpg_error(GPG_ERR_NO_ERROR);
goto err;
- }
+ }
- if (auth->authstate != OTRL_AUTHSTATE_V1_SETUP) {
+ if (auth->authstate != OTRL_AUTHSTATE_V1_SETUP) {
/* Clear the auth and start over */
otrl_auth_clear(auth);
- }
+ }
- /* Everything checked out */
- auth->their_keyid = received_keyid;
- gcry_mpi_release(auth->their_pub);
- auth->their_pub = received_pub;
- received_pub = NULL;
- memcpy(auth->their_fingerprint, fingerprintbuf, 20);
+ /* Everything checked out */
+ auth->their_keyid = received_keyid;
+ gcry_mpi_release(auth->their_pub);
+ auth->their_pub = received_pub;
+ received_pub = NULL;
+ memmove(auth->their_fingerprint, fingerprintbuf, 20);
- if (received_reply == 0x01) {
+ if (received_reply == 0x01) {
/* Don't send a reply to this. */
*havemsgp = 0;
- } else {
+ } else {
/* Import the given DH keypair, or else create a fresh one */
if (our_dh) {
- otrl_dh_keypair_copy(&(auth->our_dh), our_dh);
- auth->our_keyid = our_keyid;
+ otrl_dh_keypair_copy(&(auth->our_dh), our_dh);
+ auth->our_keyid = our_keyid;
} else if (auth->our_keyid == 0) {
- otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
- auth->our_keyid = 1;
+ otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
+ auth->our_keyid = 1;
}
/* Reply with our own Key Exchange Message */
err = create_v1_key_exchange_message(auth, 1, privkey);
if (err) goto err;
*havemsgp = 1;
- }
+ }
- /* Compute the session id */
- err = otrl_dh_compute_v1_session_id(&(auth->our_dh),
- auth->their_pub, auth->secure_session_id,
- &(auth->secure_session_id_len),
- &(auth->session_id_half));
- if (err) goto err;
+ /* Compute the session id */
+ err = otrl_dh_compute_v1_session_id(&(auth->our_dh),
+ auth->their_pub, auth->secure_session_id,
+ &(auth->secure_session_id_len),
+ &(auth->session_id_half));
+ if (err) goto err;
- /* We've completed our end of the authentication */
- auth->protocol_version = 1;
- if (auth_succeeded) err = auth_succeeded(auth, asdata);
- auth->our_keyid = 0;
- auth->authstate = OTRL_AUTHSTATE_NONE;
+ /* We've completed our end of the authentication */
+ auth->protocol_version = 1;
+ if (auth_succeeded) err = auth_succeeded(auth, asdata);
+ auth->our_keyid = 0;
+ auth->authstate = OTRL_AUTHSTATE_NONE;
- return err;
+ return err;
invval:
- err = gcry_error(GPG_ERR_INV_VALUE);
- goto err;
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
memerr:
- err = gcry_error(GPG_ERR_ENOMEM);
+ err = gcry_error(GPG_ERR_ENOMEM);
err:
- free(buf);
- gcry_sexp_release(pubs);
- gcry_mpi_release(received_pub);
- return err;
+ free(buf);
+ gcry_sexp_release(pubs);
+ gcry_mpi_release(received_pub);
+ return err;
+}
+
+/*
+ * Copy relevant information from the master OtrlAuthInfo to an
+ * instance OtrlAuthInfo in response to a D-H Key with a new
+ * instance. The fields copied will depend on the state of the
+ * master auth.
+ */
+void otrl_auth_copy_on_key(OtrlAuthInfo *m_auth, OtrlAuthInfo *auth)
+{
+ switch(m_auth->authstate) {
+ case OTRL_AUTHSTATE_AWAITING_DHKEY:
+ case OTRL_AUTHSTATE_AWAITING_SIG:
+ /* Copy our D-H Commit information to the new instance */
+ otrl_dh_keypair_free(&(auth->our_dh));
+ auth->initiated = m_auth->initiated;
+ otrl_dh_keypair_copy(&(auth->our_dh), &(m_auth->our_dh));
+ auth->our_keyid = m_auth->our_keyid;
+ memmove(auth->r, m_auth->r, 16);
+ if (auth->encgx) free(auth->encgx);
+ auth->encgx = malloc(m_auth->encgx_len);
+ memmove(auth->encgx, m_auth->encgx, m_auth->encgx_len);
+ memmove(auth->hashgx, m_auth->hashgx, 32);
+
+ auth->authstate = OTRL_AUTHSTATE_AWAITING_DHKEY;
+ break;
+
+ default:
+ /* This bad state will be detected and handled later */
+ break;
+ }
}
#ifdef OTRL_TESTING_AUTH
#include "mem.h"
#include "privkey.h"
-#define CHECK_ERR if (err) { printf("Error: %s\n", gcry_strerror(err)); return 1; }
+#define CHECK_ERR if (err) { printf("Error: %s\n", gcry_strerror(err)); \
+ return 1; }
static gcry_error_t starting(const OtrlAuthInfo *auth, void *asdata)
{
- char *name = asdata;
+ char *name = asdata;
- fprintf(stderr, "\nStarting ENCRYPTED mode for %s (v%d).\n", name, auth->protocol_version);
+ fprintf(stderr, "\nStarting ENCRYPTED mode for %s (v%d).\n",
+ name, auth->protocol_version);
- fprintf(stderr, "\nour_dh (%d):", auth->our_keyid);
- gcry_mpi_dump(auth->our_dh.pub);
- fprintf(stderr, "\ntheir_pub (%d):", auth->their_keyid);
- gcry_mpi_dump(auth->their_pub);
+ fprintf(stderr, "\nour_dh (%d):", auth->our_keyid);
+ gcry_mpi_dump(auth->our_dh.pub);
+ fprintf(stderr, "\ntheir_pub (%d):", auth->their_keyid);
+ gcry_mpi_dump(auth->their_pub);
- debug_data("\nTheir fingerprint", auth->their_fingerprint, 20);
- debug_data("\nSecure session id", auth->secure_session_id,
- auth->secure_session_id_len);
- fprintf(stderr, "Sessionid half: %d\n\n", auth->session_id_half);
+ debug_data("\nTheir fingerprint", auth->their_fingerprint, 20);
+ debug_data("\nSecure session id", auth->secure_session_id,
+ auth->secure_session_id_len);
+ fprintf(stderr, "Sessionid half: %d\n\n", auth->session_id_half);
- return gpg_error(GPG_ERR_NO_ERROR);
+ return gpg_error(GPG_ERR_NO_ERROR);
}
int main(int argc, char **argv)
{
- OtrlAuthInfo alice, bob;
- gcry_error_t err;
- int havemsg;
- OtrlUserState us;
- OtrlPrivKey *alicepriv, *bobpriv;
-
- otrl_mem_init();
- otrl_dh_init();
- otrl_auth_new(&alice);
- otrl_auth_new(&bob);
-
- us = otrl_userstate_create();
- otrl_privkey_read(us, "/home/iang/.gaim/otr.private_key");
- alicepriv = otrl_privkey_find(us, "oneeyedian", "prpl-oscar");
- bobpriv = otrl_privkey_find(us, "otr4ian", "prpl-oscar");
-
- printf("\n\n ***** V2 *****\n\n");
-
- err = otrl_auth_start_v2(&bob, NULL, 0);
- CHECK_ERR
- printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
- err = otrl_auth_handle_commit(&alice, bob.lastauthmsg, NULL, 0);
- CHECK_ERR
- printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), alice.lastauthmsg);
- err = otrl_auth_handle_key(&bob, alice.lastauthmsg, &havemsg, bobpriv);
- CHECK_ERR
- if (havemsg) {
+ OtrlAuthInfo alice, bob;
+ gcry_error_t err;
+ int havemsg;
+ OtrlUserState us;
+ OtrlPrivKey *alicepriv, *bobpriv;
+
+ otrl_mem_init();
+ otrl_dh_init();
+ otrl_auth_new(&alice);
+ otrl_auth_new(&bob);
+
+ us = otrl_userstate_create();
+ otrl_privkey_read(us, "/home/iang/.gaim/otr.private_key");
+ alicepriv = otrl_privkey_find(us, "oneeyedian", "prpl-oscar");
+ bobpriv = otrl_privkey_find(us, "otr4ian", "prpl-oscar");
+
+ printf("\n\n ***** V2 *****\n\n");
+
+ err = otrl_auth_start_v23(&bob, NULL, 0);
+ CHECK_ERR
+ printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
+ err = otrl_auth_handle_commit(&alice, bob.lastauthmsg, NULL, 0);
+ CHECK_ERR
+ printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), alice.lastauthmsg);
+ err = otrl_auth_handle_key(&bob, alice.lastauthmsg, &havemsg, bobpriv);
+ CHECK_ERR
+ if (havemsg) {
printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
- } else {
+ } else {
printf("\nIGNORE\n\n");
- }
- err = otrl_auth_handle_revealsig(&alice, bob.lastauthmsg, &havemsg,
- alicepriv, starting, "Alice");
- CHECK_ERR
- if (havemsg) {
- printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), alice.lastauthmsg);
- } else {
+ }
+ err = otrl_auth_handle_revealsig(&alice, bob.lastauthmsg, &havemsg,
+ alicepriv, starting, "Alice");
+ CHECK_ERR
+ if (havemsg) {
+ printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg),
+ alice.lastauthmsg);
+ } else {
printf("\nIGNORE\n\n");
- }
- err = otrl_auth_handle_signature(&bob, alice.lastauthmsg, &havemsg,
- starting, "Bob");
- CHECK_ERR
-
- printf("\n\n ***** V1 *****\n\n");
-
- err = otrl_auth_start_v1(&bob, NULL, 0, bobpriv);
- CHECK_ERR
- printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
- err = otrl_auth_handle_v1_key_exchange(&alice, bob.lastauthmsg,
- &havemsg, alicepriv, NULL, 0, starting, "Alice");
- CHECK_ERR
- if (havemsg) {
- printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), alice.lastauthmsg);
- } else {
+ }
+ err = otrl_auth_handle_signature(&bob, alice.lastauthmsg, &havemsg,
+ starting, "Bob");
+ CHECK_ERR
+
+ printf("\n\n ***** V1 *****\n\n");
+
+ err = otrl_auth_start_v1(&bob, NULL, 0, bobpriv);
+ CHECK_ERR
+ printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
+ err = otrl_auth_handle_v1_key_exchange(&alice, bob.lastauthmsg,
+ &havemsg, alicepriv, NULL, 0, starting, "Alice");
+ CHECK_ERR
+ if (havemsg) {
+ printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg),
+ alice.lastauthmsg);
+ } else {
printf("\nIGNORE\n\n");
- }
- err = otrl_auth_handle_v1_key_exchange(&bob, alice.lastauthmsg,
- &havemsg, bobpriv, NULL, 0, starting, "Bob");
- CHECK_ERR
- if (havemsg) {
+ }
+ err = otrl_auth_handle_v1_key_exchange(&bob, alice.lastauthmsg,
+ &havemsg, bobpriv, NULL, 0, starting, "Bob");
+ CHECK_ERR
+ if (havemsg) {
printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
- } else {
+ } else {
printf("\nIGNORE\n\n");
- }
+ }
- otrl_userstate_free(us);
- otrl_auth_clear(&alice);
- otrl_auth_clear(&bob);
- return 0;
+ otrl_userstate_free(us);
+ otrl_auth_clear(&alice);
+ otrl_auth_clear(&bob);
+ return 0;
}
#endif