summaryrefslogtreecommitdiff
path: root/plugins/MirOTR/libotr/src
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/MirOTR/libotr/src')
-rw-r--r--plugins/MirOTR/libotr/src/auth.c1413
-rw-r--r--plugins/MirOTR/libotr/src/auth.h157
-rw-r--r--plugins/MirOTR/libotr/src/b64.c249
-rw-r--r--plugins/MirOTR/libotr/src/b64.h57
-rw-r--r--plugins/MirOTR/libotr/src/context.c330
-rw-r--r--plugins/MirOTR/libotr/src/context.h182
-rw-r--r--plugins/MirOTR/libotr/src/dh.c466
-rw-r--r--plugins/MirOTR/libotr/src/dh.h119
-rw-r--r--plugins/MirOTR/libotr/src/mem.c163
-rw-r--r--plugins/MirOTR/libotr/src/mem.h25
-rw-r--r--plugins/MirOTR/libotr/src/message.c1446
-rw-r--r--plugins/MirOTR/libotr/src/message.h210
-rw-r--r--plugins/MirOTR/libotr/src/privkey-t.h39
-rw-r--r--plugins/MirOTR/libotr/src/privkey.c749
-rw-r--r--plugins/MirOTR/libotr/src/privkey.h115
-rw-r--r--plugins/MirOTR/libotr/src/proto.c906
-rw-r--r--plugins/MirOTR/libotr/src/proto.h150
-rw-r--r--plugins/MirOTR/libotr/src/serial.h85
-rw-r--r--plugins/MirOTR/libotr/src/sm.c929
-rw-r--r--plugins/MirOTR/libotr/src/sm.h83
-rw-r--r--plugins/MirOTR/libotr/src/tlv.c108
-rw-r--r--plugins/MirOTR/libotr/src/tlv.h70
-rw-r--r--plugins/MirOTR/libotr/src/userstate.c51
-rw-r--r--plugins/MirOTR/libotr/src/userstate.h45
-rw-r--r--plugins/MirOTR/libotr/src/version.h29
25 files changed, 8176 insertions, 0 deletions
diff --git a/plugins/MirOTR/libotr/src/auth.c b/plugins/MirOTR/libotr/src/auth.c
new file mode 100644
index 0000000000..978c986613
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/auth.c
@@ -0,0 +1,1413 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* system headers */
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+/* libotr headers */
+#include "b64.h"
+#include "privkey.h"
+#include "auth.h"
+#include "serial.h"
+
+/*
+ * Initialize the fields of an OtrlAuthInfo (already allocated).
+ */
+void otrl_auth_new(OtrlAuthInfo *auth)
+{
+ auth->authstate = OTRL_AUTHSTATE_NONE;
+ otrl_dh_keypair_init(&(auth->our_dh));
+ auth->our_keyid = 0;
+ auth->encgx = NULL;
+ auth->encgx_len = 0;
+ memset(auth->r, 0, 16);
+ memset(auth->hashgx, 0, 32);
+ auth->their_pub = NULL;
+ auth->their_keyid = 0;
+ auth->enc_c = NULL;
+ auth->enc_cp = NULL;
+ auth->mac_m1 = NULL;
+ auth->mac_m1p = NULL;
+ auth->mac_m2 = NULL;
+ auth->mac_m2p = NULL;
+ memset(auth->their_fingerprint, 0, 20);
+ auth->initiated = 0;
+ auth->protocol_version = 0;
+ memset(auth->secure_session_id, 0, 20);
+ auth->secure_session_id_len = 0;
+ auth->lastauthmsg = NULL;
+}
+
+/*
+ * Clear the fields of an OtrlAuthInfo (but leave it allocated).
+ */
+void otrl_auth_clear(OtrlAuthInfo *auth)
+{
+ auth->authstate = OTRL_AUTHSTATE_NONE;
+ otrl_dh_keypair_free(&(auth->our_dh));
+ auth->our_keyid = 0;
+ free(auth->encgx);
+ auth->encgx = NULL;
+ auth->encgx_len = 0;
+ memset(auth->r, 0, 16);
+ memset(auth->hashgx, 0, 32);
+ gcry_mpi_release(auth->their_pub);
+ auth->their_pub = NULL;
+ auth->their_keyid = 0;
+ gcry_cipher_close(auth->enc_c);
+ gcry_cipher_close(auth->enc_cp);
+ gcry_md_close(auth->mac_m1);
+ gcry_md_close(auth->mac_m1p);
+ gcry_md_close(auth->mac_m2);
+ gcry_md_close(auth->mac_m2p);
+ auth->enc_c = NULL;
+ auth->enc_cp = NULL;
+ auth->mac_m1 = NULL;
+ auth->mac_m1p = NULL;
+ auth->mac_m2 = NULL;
+ auth->mac_m2p = NULL;
+ memset(auth->their_fingerprint, 0, 20);
+ auth->initiated = 0;
+ auth->protocol_version = 0;
+ memset(auth->secure_session_id, 0, 20);
+ auth->secure_session_id_len = 0;
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = NULL;
+}
+
+/*
+ * Start a fresh AKE (version 2) using the given OtrlAuthInfo. Generate
+ * a fresh DH keypair to use. If no error is returned, the message to
+ * transmit will be contained in auth->lastauthmsg.
+ */
+gcry_error_t otrl_auth_start_v2(OtrlAuthInfo *auth)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ size_t npub;
+ gcry_cipher_hd_t enc = NULL;
+ unsigned char ctr[16];
+ unsigned char *buf, *bufp;
+ size_t buflen, lenp;
+
+ /* Clear out this OtrlAuthInfo and start over */
+ otrl_auth_clear(auth);
+ auth->initiated = 1;
+
+ otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
+ auth->our_keyid = 1;
+
+ /* Pick an encryption key */
+ gcry_randomize(auth->r, 16, GCRY_STRONG_RANDOM);
+
+ /* Allocate space for the encrypted g^x */
+ gcry_mpi_print(format, NULL, 0, &npub, auth->our_dh.pub);
+ auth->encgx = malloc(4+npub);
+ if (auth->encgx == NULL) goto memerr;
+ auth->encgx_len = 4+npub;
+ bufp = auth->encgx;
+ lenp = auth->encgx_len;
+ write_mpi(auth->our_dh.pub, npub, "g^x");
+ assert(lenp == 0);
+
+ /* Hash g^x */
+ gcry_md_hash_buffer(GCRY_MD_SHA256, auth->hashgx, auth->encgx,
+ auth->encgx_len);
+
+ /* Encrypt g^x using the key r */
+ err = gcry_cipher_open(&enc, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR,
+ GCRY_CIPHER_SECURE);
+ if (err) goto err;
+
+ err = gcry_cipher_setkey(enc, auth->r, 16);
+ if (err) goto err;
+
+ memset(ctr, 0, 16);
+ err = gcry_cipher_setctr(enc, ctr, 16);
+ if (err) goto err;
+
+ err = gcry_cipher_encrypt(enc, auth->encgx, auth->encgx_len, NULL, 0);
+ if (err) goto err;
+
+ gcry_cipher_close(enc);
+ enc = NULL;
+
+ /* Now serialize the message */
+ lenp = 3 + 4 + auth->encgx_len + 4 + 32;
+ bufp = malloc(lenp);
+ if (bufp == NULL) goto memerr;
+ buf = bufp;
+ buflen = lenp;
+
+ memcpy(bufp, "\x00\x02\x02", 3); /* header */
+ debug_data("Header", bufp, 3);
+ bufp += 3; lenp -= 3;
+
+ /* Encrypted g^x */
+ write_int(auth->encgx_len);
+ debug_int("Enc gx len", bufp-4);
+ memcpy(bufp, auth->encgx, auth->encgx_len);
+ debug_data("Enc gx", bufp, auth->encgx_len);
+ bufp += auth->encgx_len; lenp -= auth->encgx_len;
+
+ /* Hashed g^x */
+ write_int(32);
+ debug_int("hashgx len", bufp-4);
+ memcpy(bufp, auth->hashgx, 32);
+ debug_data("hashgx", bufp, 32);
+ bufp += 32; lenp -= 32;
+
+ assert(lenp == 0);
+
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
+ free(buf);
+ if (auth->lastauthmsg == NULL) goto memerr;
+ auth->authstate = OTRL_AUTHSTATE_AWAITING_DHKEY;
+
+ return err;
+
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ otrl_auth_clear(auth);
+ gcry_cipher_close(enc);
+ return err;
+}
+
+/*
+ * Create a D-H Key Message using the our_dh value in the given auth,
+ * and store it in auth->lastauthmsg.
+ */
+static gcry_error_t create_key_message(OtrlAuthInfo *auth)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ unsigned char *buf, *bufp;
+ size_t buflen, lenp;
+ size_t npub;
+
+ gcry_mpi_print(format, NULL, 0, &npub, auth->our_dh.pub);
+ buflen = 3 + 4 + npub;
+ buf = malloc(buflen);
+ if (buf == NULL) goto memerr;
+ bufp = buf;
+ lenp = buflen;
+
+ memcpy(bufp, "\x00\x02\x0a", 3); /* header */
+ debug_data("Header", bufp, 3);
+ bufp += 3; lenp -= 3;
+
+ /* g^y */
+ write_mpi(auth->our_dh.pub, npub, "g^y");
+
+ assert(lenp == 0);
+
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
+ free(buf);
+ if (auth->lastauthmsg == NULL) goto memerr;
+
+ return err;
+
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+ return err;
+}
+
+/*
+ * Handle an incoming D-H Commit Message. If no error is returned, the
+ * message to send will be left in auth->lastauthmsg. Generate a fresh
+ * keypair to use.
+ */
+gcry_error_t otrl_auth_handle_commit(OtrlAuthInfo *auth,
+ const char *commitmsg)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL, *encbuf = NULL;
+ unsigned char hashbuf[32];
+ size_t buflen, lenp, enclen, hashlen;
+ int res;
+
+ res = otrl_base64_otr_decode(commitmsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
+
+ bufp = buf;
+ lenp = buflen;
+
+ /* Header */
+ require_len(3);
+ if (memcmp(bufp, "\x00\x02\x02", 3)) goto invval;
+ bufp += 3; lenp -= 3;
+
+ /* Encrypted g^x */
+ read_int(enclen);
+ require_len(enclen);
+ encbuf = malloc(enclen);
+ if (encbuf == NULL && enclen > 0) goto memerr;
+ memcpy(encbuf, bufp, enclen);
+ bufp += enclen; lenp -= enclen;
+
+ /* Hashed g^x */
+ read_int(hashlen);
+ if (hashlen != 32) goto invval;
+ require_len(32);
+ memcpy(hashbuf, bufp, 32);
+ bufp += 32; lenp -= 32;
+
+ if (lenp != 0) goto invval;
+ free(buf);
+ buf = NULL;
+
+ switch(auth->authstate) {
+ case OTRL_AUTHSTATE_NONE:
+ case OTRL_AUTHSTATE_AWAITING_SIG:
+ case OTRL_AUTHSTATE_V1_SETUP:
+
+ /* Store the incoming information */
+ otrl_auth_clear(auth);
+ otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
+ auth->our_keyid = 1;
+ auth->encgx = encbuf;
+ encbuf = NULL;
+ auth->encgx_len = enclen;
+ memcpy(auth->hashgx, hashbuf, 32);
+
+ /* Create a D-H Key Message */
+ err = create_key_message(auth);
+ if (err) goto err;
+ auth->authstate = OTRL_AUTHSTATE_AWAITING_REVEALSIG;
+
+ break;
+
+ case OTRL_AUTHSTATE_AWAITING_DHKEY:
+ /* We sent a D-H Commit Message, and we also received one
+ * back. Compare the hashgx values to see which one wins. */
+ if (memcmp(auth->hashgx, hashbuf, 32) > 0) {
+ /* Ours wins. Ignore the message we received, and just
+ * resend the same D-H Commit message again. */
+ free(encbuf);
+ encbuf = NULL;
+ } else {
+ /* Ours loses. Use the incoming parameters instead. */
+ otrl_auth_clear(auth);
+ otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
+ auth->our_keyid = 1;
+ auth->encgx = encbuf;
+ encbuf = NULL;
+ auth->encgx_len = enclen;
+ memcpy(auth->hashgx, hashbuf, 32);
+
+ /* Create a D-H Key Message */
+ err = create_key_message(auth);
+ if (err) goto err;
+ auth->authstate = OTRL_AUTHSTATE_AWAITING_REVEALSIG;
+ }
+ break;
+ case OTRL_AUTHSTATE_AWAITING_REVEALSIG:
+ /* Use the incoming parameters, but just retransmit the old
+ * D-H Key Message. */
+ free(auth->encgx);
+ auth->encgx = encbuf;
+ encbuf = NULL;
+ auth->encgx_len = enclen;
+ memcpy(auth->hashgx, hashbuf, 32);
+ break;
+ }
+
+ return err;
+
+invval:
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ free(encbuf);
+ return err;
+}
+
+/*
+ * Calculate the encrypted part of the Reveal Signature and Signature
+ * Messages, given a MAC key, an encryption key, two DH public keys, an
+ * authentication public key (contained in an OtrlPrivKey structure),
+ * and a keyid. If no error is returned, *authbufp will point to the
+ * result, and *authlenp will point to its length.
+ */
+static gcry_error_t calculate_pubkey_auth(unsigned char **authbufp,
+ size_t *authlenp, gcry_md_hd_t mackey, gcry_cipher_hd_t enckey,
+ gcry_mpi_t our_dh_pub, gcry_mpi_t their_dh_pub,
+ OtrlPrivKey *privkey, unsigned int keyid)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ size_t ourpublen, theirpublen, totallen, lenp;
+ unsigned char *buf = NULL, *bufp = NULL;
+ unsigned char macbuf[32];
+ unsigned char *sigbuf = NULL;
+ size_t siglen;
+
+ /* How big are the DH public keys? */
+ gcry_mpi_print(format, NULL, 0, &ourpublen, our_dh_pub);
+ gcry_mpi_print(format, NULL, 0, &theirpublen, their_dh_pub);
+
+ /* How big is the total structure to be MAC'd? */
+ totallen = 4 + ourpublen + 4 + theirpublen + 2 + privkey->pubkey_datalen
+ + 4;
+ buf = malloc(totallen);
+ if (buf == NULL) goto memerr;
+
+ bufp = buf;
+ lenp = totallen;
+
+ /* Write the data to be MAC'd */
+ write_mpi(our_dh_pub, ourpublen, "Our DH pubkey");
+ write_mpi(their_dh_pub, theirpublen, "Their DH pubkey");
+ bufp[0] = ((privkey->pubkey_type) >> 8) & 0xff;
+ bufp[1] = (privkey->pubkey_type) & 0xff;
+ bufp += 2; lenp -= 2;
+ memcpy(bufp, privkey->pubkey_data, privkey->pubkey_datalen);
+ debug_data("Pubkey", bufp, privkey->pubkey_datalen);
+ bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen;
+ write_int(keyid);
+ debug_int("Keyid", bufp-4);
+
+ assert(lenp == 0);
+
+ /* Do the MAC */
+ gcry_md_reset(mackey);
+ gcry_md_write(mackey, buf, totallen);
+ memcpy(macbuf, gcry_md_read(mackey, GCRY_MD_SHA256), 32);
+
+ free(buf);
+ buf = NULL;
+
+ /* Sign the MAC */
+ err = otrl_privkey_sign(&sigbuf, &siglen, privkey, macbuf, 32);
+ if (err) goto err;
+
+ /* Calculate the total size of the structure to be encrypted */
+ totallen = 2 + privkey->pubkey_datalen + 4 + siglen;
+ buf = malloc(totallen);
+ if (buf == NULL) goto memerr;
+ bufp = buf;
+ lenp = totallen;
+
+ /* Write the data to be encrypted */
+ bufp[0] = ((privkey->pubkey_type) >> 8) & 0xff;
+ bufp[1] = (privkey->pubkey_type) & 0xff;
+ bufp += 2; lenp -= 2;
+ memcpy(bufp, privkey->pubkey_data, privkey->pubkey_datalen);
+ debug_data("Pubkey", bufp, privkey->pubkey_datalen);
+ bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen;
+ write_int(keyid);
+ debug_int("Keyid", bufp-4);
+ memcpy(bufp, sigbuf, siglen);
+ debug_data("Signature", bufp, siglen);
+ bufp += siglen; lenp -= siglen;
+ free(sigbuf);
+ sigbuf = NULL;
+
+ assert(lenp == 0);
+
+ /* Now do the encryption */
+ err = gcry_cipher_encrypt(enckey, buf, totallen, NULL, 0);
+ if (err) goto err;
+
+ *authbufp = buf;
+ buf = NULL;
+ *authlenp = totallen;
+
+ return err;
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ free(sigbuf);
+ return err;
+}
+
+/*
+ * Decrypt the authenticator in the Reveal Signature and Signature
+ * Messages, given a MAC key, and encryption key, and two DH public
+ * keys. The fingerprint of the received public key will get put into
+ * fingerprintbufp, and the received keyid will get put in *keyidp.
+ * The encrypted data pointed to by authbuf will be decrypted in place.
+ */
+static gcry_error_t check_pubkey_auth(unsigned char fingerprintbufp[20],
+ unsigned int *keyidp, unsigned char *authbuf, size_t authlen,
+ gcry_md_hd_t mackey, gcry_cipher_hd_t enckey,
+ gcry_mpi_t our_dh_pub, gcry_mpi_t their_dh_pub)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ size_t ourpublen, theirpublen, totallen, lenp;
+ unsigned char *buf = NULL, *bufp = NULL;
+ unsigned char macbuf[32];
+ unsigned short pubkey_type;
+ gcry_mpi_t p,q,g,y;
+ gcry_sexp_t pubs = NULL;
+ unsigned int received_keyid;
+ unsigned char *fingerprintstart, *fingerprintend, *sigbuf;
+ size_t siglen;
+
+ /* Start by decrypting it */
+ err = gcry_cipher_decrypt(enckey, authbuf, authlen, NULL, 0);
+ if (err) goto err;
+
+ bufp = authbuf;
+ lenp = authlen;
+
+ /* Get the public key and calculate its fingerprint */
+ require_len(2);
+ pubkey_type = (bufp[0] << 8) + bufp[1];
+ bufp += 2; lenp -= 2;
+ if (pubkey_type != OTRL_PUBKEY_TYPE_DSA) goto invval;
+ fingerprintstart = bufp;
+ read_mpi(p);
+ read_mpi(q);
+ read_mpi(g);
+ read_mpi(y);
+ fingerprintend = bufp;
+ gcry_md_hash_buffer(GCRY_MD_SHA1, fingerprintbufp,
+ fingerprintstart, fingerprintend-fingerprintstart);
+ gcry_sexp_build(&pubs, NULL,
+ "(public-key (dsa (p %m)(q %m)(g %m)(y %m)))", p, q, g, y);
+ gcry_mpi_release(p);
+ gcry_mpi_release(q);
+ gcry_mpi_release(g);
+ gcry_mpi_release(y);
+
+ /* Get the keyid */
+ read_int(received_keyid);
+ if (received_keyid == 0) goto invval;
+
+ /* Get the signature */
+ sigbuf = bufp;
+ siglen = lenp;
+
+ /* How big are the DH public keys? */
+ gcry_mpi_print(format, NULL, 0, &ourpublen, our_dh_pub);
+ gcry_mpi_print(format, NULL, 0, &theirpublen, their_dh_pub);
+
+ /* Now calculate the message to be MAC'd. */
+ totallen = 4 + ourpublen + 4 + theirpublen + 2 +
+ (fingerprintend - fingerprintstart) + 4;
+ buf = malloc(totallen);
+ if (buf == NULL) goto memerr;
+
+ bufp = buf;
+ lenp = totallen;
+
+ write_mpi(their_dh_pub, theirpublen, "Their DH pubkey");
+ write_mpi(our_dh_pub, ourpublen, "Our DH pubkey");
+ bufp[0] = (pubkey_type >> 8) & 0xff;
+ bufp[1] = pubkey_type & 0xff;
+ bufp += 2; lenp -= 2;
+ memcpy(bufp, fingerprintstart, fingerprintend - fingerprintstart);
+ debug_data("Pubkey", bufp, fingerprintend - fingerprintstart);
+ bufp += fingerprintend - fingerprintstart;
+ lenp -= fingerprintend - fingerprintstart;
+ write_int(received_keyid);
+ debug_int("Keyid", bufp-4);
+
+ assert(lenp == 0);
+
+ /* Do the MAC */
+ gcry_md_reset(mackey);
+ gcry_md_write(mackey, buf, totallen);
+ memcpy(macbuf, gcry_md_read(mackey, GCRY_MD_SHA256), 32);
+
+ free(buf);
+ buf = NULL;
+
+ /* Verify the signature on the MAC */
+ err = otrl_privkey_verify(sigbuf, siglen, pubkey_type, pubs, macbuf, 32);
+ if (err) goto err;
+ gcry_sexp_release(pubs);
+ pubs = NULL;
+
+ /* Everything checked out */
+ *keyidp = received_keyid;
+
+ return err;
+invval:
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ gcry_sexp_release(pubs);
+ return err;
+}
+
+/*
+ * Create a Reveal Signature Message using the values in the given auth,
+ * and store it in auth->lastauthmsg. Use the given privkey to sign the
+ * message.
+ */
+static gcry_error_t create_revealsig_message(OtrlAuthInfo *auth,
+ OtrlPrivKey *privkey)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp, *startmac;
+ size_t buflen, lenp;
+
+ unsigned char *authbuf = NULL;
+ size_t authlen;
+
+ /* Get the encrypted authenticator */
+ err = calculate_pubkey_auth(&authbuf, &authlen, auth->mac_m1, auth->enc_c,
+ auth->our_dh.pub, auth->their_pub, privkey, auth->our_keyid);
+ if (err) goto err;
+
+ buflen = 3 + 4 + 16 + 4 + authlen + 20;
+ buf = malloc(buflen);
+ if (buf == NULL) goto memerr;
+
+ bufp = buf;
+ lenp = buflen;
+
+ memcpy(bufp, "\x00\x02\x11", 3); /* header */
+ debug_data("Header", bufp, 3);
+ bufp += 3; lenp -= 3;
+
+ /* r */
+ write_int(16);
+ memcpy(bufp, auth->r, 16);
+ debug_data("r", bufp, 16);
+ bufp += 16; lenp -= 16;
+
+ /* Encrypted authenticator */
+ startmac = bufp;
+ write_int(authlen);
+ memcpy(bufp, authbuf, authlen);
+ debug_data("auth", bufp, authlen);
+ bufp += authlen; lenp -= authlen;
+ free(authbuf);
+ authbuf = NULL;
+
+ /* MAC it, but only take the first 20 bytes */
+ gcry_md_reset(auth->mac_m2);
+ gcry_md_write(auth->mac_m2, startmac, bufp - startmac);
+ memcpy(bufp, gcry_md_read(auth->mac_m2, GCRY_MD_SHA256), 20);
+ debug_data("MAC", bufp, 20);
+ bufp += 20; lenp -= 20;
+
+ assert(lenp == 0);
+
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
+ if (auth->lastauthmsg == NULL) goto memerr;
+ free(buf);
+ buf = NULL;
+
+ return err;
+
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ free(authbuf);
+ return err;
+}
+
+/*
+ * Create a Signature Message using the values in the given auth, and
+ * store it in auth->lastauthmsg. Use the given privkey to sign the
+ * message.
+ */
+static gcry_error_t create_signature_message(OtrlAuthInfo *auth,
+ OtrlPrivKey *privkey)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp, *startmac;
+ size_t buflen, lenp;
+
+ unsigned char *authbuf = NULL;
+ size_t authlen;
+
+ /* Get the encrypted authenticator */
+ err = calculate_pubkey_auth(&authbuf, &authlen, auth->mac_m1p,
+ auth->enc_cp, auth->our_dh.pub, auth->their_pub, privkey,
+ auth->our_keyid);
+ if (err) goto err;
+
+ buflen = 3 + 4 + authlen + 20;
+ buf = malloc(buflen);
+ if (buf == NULL) goto memerr;
+
+ bufp = buf;
+ lenp = buflen;
+
+ memcpy(bufp, "\x00\x02\x12", 3); /* header */
+ debug_data("Header", bufp, 3);
+ bufp += 3; lenp -= 3;
+
+ /* Encrypted authenticator */
+ startmac = bufp;
+ write_int(authlen);
+ memcpy(bufp, authbuf, authlen);
+ debug_data("auth", bufp, authlen);
+ bufp += authlen; lenp -= authlen;
+ free(authbuf);
+ authbuf = NULL;
+
+ /* MAC it, but only take the first 20 bytes */
+ gcry_md_reset(auth->mac_m2p);
+ gcry_md_write(auth->mac_m2p, startmac, bufp - startmac);
+ memcpy(bufp, gcry_md_read(auth->mac_m2p, GCRY_MD_SHA256), 20);
+ debug_data("MAC", bufp, 20);
+ bufp += 20; lenp -= 20;
+
+ assert(lenp == 0);
+
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen);
+ if (auth->lastauthmsg == NULL) goto memerr;
+ free(buf);
+ buf = NULL;
+
+ return err;
+
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ free(authbuf);
+ return err;
+}
+
+/*
+ * Handle an incoming D-H Key Message. If no error is returned, and
+ * *havemsgp is 1, the message to sent will be left in auth->lastauthmsg.
+ * Use the given private authentication key to sign messages.
+ */
+gcry_error_t otrl_auth_handle_key(OtrlAuthInfo *auth, const char *keymsg,
+ int *havemsgp, OtrlPrivKey *privkey)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL;
+ size_t buflen, lenp;
+ gcry_mpi_t incoming_pub = NULL;
+ int res;
+
+ *havemsgp = 0;
+
+ res = otrl_base64_otr_decode(keymsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
+
+ bufp = buf;
+ lenp = buflen;
+
+ /* Header */
+ if (memcmp(bufp, "\x00\x02\x0a", 3)) goto invval;
+ bufp += 3; lenp -= 3;
+
+ /* g^y */
+ read_mpi(incoming_pub);
+
+ if (lenp != 0) goto invval;
+ free(buf);
+ buf = NULL;
+
+ switch(auth->authstate) {
+ case OTRL_AUTHSTATE_AWAITING_DHKEY:
+ /* Store the incoming public key */
+ gcry_mpi_release(auth->their_pub);
+ auth->their_pub = incoming_pub;
+ incoming_pub = NULL;
+
+ /* Compute the encryption and MAC keys */
+ err = otrl_dh_compute_v2_auth_keys(&(auth->our_dh),
+ auth->their_pub, auth->secure_session_id,
+ &(auth->secure_session_id_len),
+ &(auth->enc_c), &(auth->enc_cp),
+ &(auth->mac_m1), &(auth->mac_m1p),
+ &(auth->mac_m2), &(auth->mac_m2p));
+ if (err) goto err;
+
+ /* Create the Reveal Signature Message */
+ err = create_revealsig_message(auth, privkey);
+ if (err) goto err;
+ *havemsgp = 1;
+ auth->authstate = OTRL_AUTHSTATE_AWAITING_SIG;
+
+ break;
+
+ case OTRL_AUTHSTATE_AWAITING_SIG:
+ if (gcry_mpi_cmp(incoming_pub, auth->their_pub) == 0) {
+ /* Retransmit the Reveal Signature Message */
+ *havemsgp = 1;
+ } else {
+ /* Ignore this message */
+ *havemsgp = 0;
+ }
+ break;
+ case OTRL_AUTHSTATE_NONE:
+ case OTRL_AUTHSTATE_AWAITING_REVEALSIG:
+ case OTRL_AUTHSTATE_V1_SETUP:
+ /* Ignore this message */
+ *havemsgp = 0;
+ break;
+ }
+
+ gcry_mpi_release(incoming_pub);
+ return err;
+
+invval:
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ gcry_mpi_release(incoming_pub);
+ return err;
+}
+
+/*
+ * Handle an incoming Reveal Signature Message. If no error is
+ * returned, and *havemsgp is 1, the message to be sent will be left in
+ * auth->lastauthmsg. Use the given private authentication key to sign
+ * messages. Call the auth_succeeded callback if authentication is
+ * successful.
+ */
+gcry_error_t otrl_auth_handle_revealsig(OtrlAuthInfo *auth,
+ const char *revealmsg, int *havemsgp, OtrlPrivKey *privkey,
+ gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata),
+ void *asdata)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL, *gxbuf = NULL;
+ unsigned char *authstart, *authend, *macstart;
+ size_t buflen, lenp, rlen, authlen;
+ gcry_cipher_hd_t enc = NULL;
+ gcry_mpi_t incoming_pub = NULL;
+ unsigned char ctr[16], hashbuf[32];
+ int res;
+
+ *havemsgp = 0;
+
+ res = otrl_base64_otr_decode(revealmsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
+
+ bufp = buf;
+ lenp = buflen;
+
+ /* Header */
+ if (memcmp(bufp, "\x00\x02\x11", 3)) goto invval;
+ bufp += 3; lenp -= 3;
+
+ /* r */
+ read_int(rlen);
+ if (rlen != 16) goto invval;
+ require_len(rlen);
+ memcpy(auth->r, bufp, rlen);
+ bufp += rlen; lenp -= rlen;
+
+ /* auth */
+ authstart = bufp;
+ read_int(authlen);
+ require_len(authlen);
+ bufp += authlen; lenp -= authlen;
+ authend = bufp;
+
+ /* MAC */
+ require_len(20);
+ macstart = bufp;
+ bufp += 20; lenp -= 20;
+
+ if (lenp != 0) goto invval;
+
+ switch(auth->authstate) {
+ case OTRL_AUTHSTATE_AWAITING_REVEALSIG:
+ gxbuf = malloc(auth->encgx_len);
+ if (auth->encgx_len && gxbuf == NULL) goto memerr;
+
+ /* Use r to decrypt the value of g^x we received earlier */
+ err = gcry_cipher_open(&enc, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR,
+ GCRY_CIPHER_SECURE);
+ if (err) goto err;
+
+ err = gcry_cipher_setkey(enc, auth->r, 16);
+ if (err) goto err;
+
+ memset(ctr, 0, 16);
+ err = gcry_cipher_setctr(enc, ctr, 16);
+ if (err) goto err;
+
+ err = gcry_cipher_decrypt(enc, gxbuf, auth->encgx_len,
+ auth->encgx, auth->encgx_len);
+ if (err) goto err;
+
+ gcry_cipher_close(enc);
+ enc = NULL;
+
+ /* Check the hash */
+ gcry_md_hash_buffer(GCRY_MD_SHA256, hashbuf, gxbuf,
+ auth->encgx_len);
+ if (memcmp(hashbuf, auth->hashgx, 32)) goto decfail;
+
+ /* Extract g^x */
+ bufp = gxbuf;
+ lenp = auth->encgx_len;
+
+ read_mpi(incoming_pub);
+ free(gxbuf);
+ gxbuf = NULL;
+
+ if (lenp != 0) goto invval;
+
+ gcry_mpi_release(auth->their_pub);
+ auth->their_pub = incoming_pub;
+ incoming_pub = NULL;
+
+ /* Compute the encryption and MAC keys */
+ err = otrl_dh_compute_v2_auth_keys(&(auth->our_dh),
+ auth->their_pub, auth->secure_session_id,
+ &(auth->secure_session_id_len),
+ &(auth->enc_c), &(auth->enc_cp),
+ &(auth->mac_m1), &(auth->mac_m1p),
+ &(auth->mac_m2), &(auth->mac_m2p));
+ if (err) goto err;
+
+ /* Check the MAC */
+ gcry_md_reset(auth->mac_m2);
+ gcry_md_write(auth->mac_m2, authstart, authend - authstart);
+ if (memcmp(macstart,
+ gcry_md_read(auth->mac_m2, GCRY_MD_SHA256),
+ 20)) goto invval;
+
+ /* Check the auth */
+ err = check_pubkey_auth(auth->their_fingerprint,
+ &(auth->their_keyid), authstart + 4,
+ authend - authstart - 4, auth->mac_m1, auth->enc_c,
+ auth->our_dh.pub, auth->their_pub);
+ if (err) goto err;
+
+ authstart = NULL;
+ authend = NULL;
+ macstart = NULL;
+ free(buf);
+ buf = NULL;
+
+ /* Create the Signature Message */
+ err = create_signature_message(auth, privkey);
+ if (err) goto err;
+
+ /* No error? Then we've completed our end of the
+ * authentication. */
+ auth->protocol_version = 2;
+ auth->session_id_half = OTRL_SESSIONID_SECOND_HALF_BOLD;
+ if (auth_succeeded) err = auth_succeeded(auth, asdata);
+ *havemsgp = 1;
+ auth->our_keyid = 0;
+ auth->authstate = OTRL_AUTHSTATE_NONE;
+
+ break;
+ case OTRL_AUTHSTATE_NONE:
+ case OTRL_AUTHSTATE_AWAITING_DHKEY:
+ case OTRL_AUTHSTATE_AWAITING_SIG:
+ case OTRL_AUTHSTATE_V1_SETUP:
+ /* Ignore this message */
+ *havemsgp = 0;
+ free(buf);
+ buf = NULL;
+ break;
+ }
+
+ return err;
+
+decfail:
+ err = gcry_error(GPG_ERR_NO_ERROR);
+ goto err;
+invval:
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ free(gxbuf);
+ gcry_cipher_close(enc);
+ gcry_mpi_release(incoming_pub);
+ return err;
+}
+
+/*
+ * Handle an incoming Signature Message. If no error is returned, and
+ * *havemsgp is 1, the message to be sent will be left in
+ * auth->lastauthmsg. Call the auth_succeeded callback if
+ * authentication is successful.
+ */
+gcry_error_t otrl_auth_handle_signature(OtrlAuthInfo *auth,
+ const char *sigmsg, int *havemsgp,
+ gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata),
+ void *asdata)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL;
+ unsigned char *authstart, *authend, *macstart;
+ size_t buflen, lenp, authlen;
+ int res;
+
+ *havemsgp = 0;
+
+ res = otrl_base64_otr_decode(sigmsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
+
+ bufp = buf;
+ lenp = buflen;
+
+ /* Header */
+ if (memcmp(bufp, "\x00\x02\x12", 3)) goto invval;
+ bufp += 3; lenp -= 3;
+
+ /* auth */
+ authstart = bufp;
+ read_int(authlen);
+ require_len(authlen);
+ bufp += authlen; lenp -= authlen;
+ authend = bufp;
+
+ /* MAC */
+ require_len(20);
+ macstart = bufp;
+ bufp += 20; lenp -= 20;
+
+ if (lenp != 0) goto invval;
+
+ switch(auth->authstate) {
+ case OTRL_AUTHSTATE_AWAITING_SIG:
+ /* Check the MAC */
+ gcry_md_reset(auth->mac_m2p);
+ gcry_md_write(auth->mac_m2p, authstart, authend - authstart);
+ if (memcmp(macstart,
+ gcry_md_read(auth->mac_m2p, GCRY_MD_SHA256),
+ 20)) goto invval;
+
+ /* Check the auth */
+ err = check_pubkey_auth(auth->their_fingerprint,
+ &(auth->their_keyid), authstart + 4,
+ authend - authstart - 4, auth->mac_m1p, auth->enc_cp,
+ auth->our_dh.pub, auth->their_pub);
+ if (err) goto err;
+
+ authstart = NULL;
+ authend = NULL;
+ macstart = NULL;
+ free(buf);
+ buf = NULL;
+
+ /* No error? Then we've completed our end of the
+ * authentication. */
+ auth->protocol_version = 2;
+ auth->session_id_half = OTRL_SESSIONID_FIRST_HALF_BOLD;
+ if (auth_succeeded) err = auth_succeeded(auth, asdata);
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = NULL;
+ *havemsgp = 1;
+ auth->our_keyid = 0;
+ auth->authstate = OTRL_AUTHSTATE_NONE;
+
+ break;
+ case OTRL_AUTHSTATE_NONE:
+ case OTRL_AUTHSTATE_AWAITING_DHKEY:
+ case OTRL_AUTHSTATE_AWAITING_REVEALSIG:
+ case OTRL_AUTHSTATE_V1_SETUP:
+ /* Ignore this message */
+ *havemsgp = 0;
+ break;
+ }
+
+ return err;
+
+invval:
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ return err;
+}
+
+/* Version 1 routines, for compatibility */
+
+/*
+ * Create a verion 1 Key Exchange Message using the values in the given
+ * auth, and store it in auth->lastauthmsg. Set the Reply field to the
+ * given value, and use the given privkey to sign the message.
+ */
+static gcry_error_t create_v1_key_exchange_message(OtrlAuthInfo *auth,
+ unsigned char reply, OtrlPrivKey *privkey)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ unsigned char *buf = NULL, *bufp = NULL, *sigbuf = NULL;
+ size_t lenp, ourpublen, totallen, siglen;
+ unsigned char hashbuf[20];
+
+ if (privkey->pubkey_type != OTRL_PUBKEY_TYPE_DSA) {
+ return gpg_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* How big is the DH public key? */
+ gcry_mpi_print(format, NULL, 0, &ourpublen, auth->our_dh.pub);
+
+ totallen = 3 + 1 + privkey->pubkey_datalen + 4 + 4 + ourpublen + 40;
+ buf = malloc(totallen);
+ if (buf == NULL) goto memerr;
+
+ bufp = buf;
+ lenp = totallen;
+
+ memcpy(bufp, "\x00\x01\x0a", 3); /* header */
+ debug_data("Header", bufp, 3);
+ bufp += 3; lenp -= 3;
+
+ bufp[0] = reply;
+ debug_data("Reply", bufp, 1);
+ bufp += 1; lenp -= 1;
+
+ memcpy(bufp, privkey->pubkey_data, privkey->pubkey_datalen);
+ debug_data("Pubkey", bufp, privkey->pubkey_datalen);
+ bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen;
+
+ write_int(auth->our_keyid);
+ debug_int("Keyid", bufp-4);
+
+ write_mpi(auth->our_dh.pub, ourpublen, "D-H y");
+
+ /* Hash all the data written so far, and sign the hash */
+ gcry_md_hash_buffer(GCRY_MD_SHA1, hashbuf, buf, bufp - buf);
+
+ err = otrl_privkey_sign(&sigbuf, &siglen, privkey, hashbuf, 20);
+ if (err) goto err;
+
+ if (siglen != 40) goto invval;
+ memcpy(bufp, sigbuf, 40);
+ debug_data("Signature", bufp, 40);
+ bufp += 40; lenp -= 40;
+ free(sigbuf);
+ sigbuf = NULL;
+
+ assert(lenp == 0);
+
+ free(auth->lastauthmsg);
+ auth->lastauthmsg = otrl_base64_otr_encode(buf, totallen);
+ if (auth->lastauthmsg == NULL) goto memerr;
+ free(buf);
+ buf = NULL;
+
+ return err;
+
+invval:
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ free(sigbuf);
+ return err;
+}
+
+/*
+ * Start a fresh AKE (version 1) using the given OtrlAuthInfo. If
+ * our_dh is NULL, generate a fresh DH keypair to use. Otherwise, use a
+ * copy of the one passed (with the given keyid). Use the given private
+ * key to sign the message. If no error is returned, the message to
+ * transmit will be contained in auth->lastauthmsg.
+ */
+gcry_error_t otrl_auth_start_v1(OtrlAuthInfo *auth, DH_keypair *our_dh,
+ unsigned int our_keyid, OtrlPrivKey *privkey)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+
+ /* Clear out this OtrlAuthInfo and start over */
+ otrl_auth_clear(auth);
+ auth->initiated = 1;
+
+ /* Import the given DH keypair, or else create a fresh one */
+ if (our_dh) {
+ otrl_dh_keypair_copy(&(auth->our_dh), our_dh);
+ auth->our_keyid = our_keyid;
+ } else {
+ otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
+ auth->our_keyid = 1;
+ }
+
+ err = create_v1_key_exchange_message(auth, 0, privkey);
+ if (!err) {
+ auth->authstate = OTRL_AUTHSTATE_V1_SETUP;
+ }
+
+ return err;
+}
+
+/*
+ * Handle an incoming v1 Key Exchange Message. If no error is returned,
+ * and *havemsgp is 1, the message to be sent will be left in
+ * auth->lastauthmsg. Use the given private authentication key to sign
+ * messages. Call the auth_secceeded callback if authentication is
+ * successful. If non-NULL, use a copy of the given D-H keypair, with
+ * the given keyid.
+ */
+gcry_error_t otrl_auth_handle_v1_key_exchange(OtrlAuthInfo *auth,
+ const char *keyexchmsg, int *havemsgp, OtrlPrivKey *privkey,
+ DH_keypair *our_dh, unsigned int our_keyid,
+ gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata),
+ void *asdata)
+{
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ unsigned char *buf = NULL, *bufp = NULL;
+ unsigned char *fingerprintstart, *fingerprintend;
+ unsigned char fingerprintbuf[20], hashbuf[20];
+ gcry_mpi_t p, q, g, y, received_pub = NULL;
+ gcry_sexp_t pubs = NULL;
+ size_t buflen, lenp;
+ unsigned char received_reply;
+ unsigned int received_keyid;
+ int res;
+
+ *havemsgp = 0;
+
+ res = otrl_base64_otr_decode(keyexchmsg, &buf, &buflen);
+ if (res == -1) goto memerr;
+ if (res == -2) goto invval;
+
+ bufp = buf;
+ lenp = buflen;
+
+ /* Header */
+ require_len(3);
+ if (memcmp(bufp, "\x00\x01\x0a", 3)) goto invval;
+ bufp += 3; lenp -= 3;
+
+ /* Reply */
+ require_len(1);
+ received_reply = bufp[0];
+ bufp += 1; lenp -= 1;
+
+ /* Public Key */
+ fingerprintstart = bufp;
+ read_mpi(p);
+ read_mpi(q);
+ read_mpi(g);
+ read_mpi(y);
+ fingerprintend = bufp;
+ gcry_md_hash_buffer(GCRY_MD_SHA1, fingerprintbuf,
+ fingerprintstart, fingerprintend-fingerprintstart);
+ gcry_sexp_build(&pubs, NULL,
+ "(public-key (dsa (p %m)(q %m)(g %m)(y %m)))", p, q, g, y);
+ gcry_mpi_release(p);
+ gcry_mpi_release(q);
+ gcry_mpi_release(g);
+ gcry_mpi_release(y);
+
+ /* keyid */
+ read_int(received_keyid);
+ if (received_keyid == 0) goto invval;
+
+ /* D-H pubkey */
+ read_mpi(received_pub);
+
+ /* Verify the signature */
+ if (lenp != 40) goto invval;
+ gcry_md_hash_buffer(GCRY_MD_SHA1, hashbuf, buf, bufp - buf);
+ err = otrl_privkey_verify(bufp, lenp, OTRL_PUBKEY_TYPE_DSA,
+ pubs, hashbuf, 20);
+ if (err) goto err;
+ gcry_sexp_release(pubs);
+ pubs = NULL;
+ free(buf);
+ buf = NULL;
+
+ if (auth->authstate != OTRL_AUTHSTATE_V1_SETUP && received_reply == 0x01) {
+ /* They're replying to something we never sent. We must be
+ * logged in more than once; ignore the message. */
+ err = gpg_error(GPG_ERR_NO_ERROR);
+ goto err;
+ }
+
+ if (auth->authstate != OTRL_AUTHSTATE_V1_SETUP) {
+ /* Clear the auth and start over */
+ otrl_auth_clear(auth);
+ }
+
+ /* Everything checked out */
+ auth->their_keyid = received_keyid;
+ gcry_mpi_release(auth->their_pub);
+ auth->their_pub = received_pub;
+ received_pub = NULL;
+ memcpy(auth->their_fingerprint, fingerprintbuf, 20);
+
+ if (received_reply == 0x01) {
+ /* Don't send a reply to this. */
+ *havemsgp = 0;
+ } else {
+ /* Import the given DH keypair, or else create a fresh one */
+ if (our_dh) {
+ otrl_dh_keypair_copy(&(auth->our_dh), our_dh);
+ auth->our_keyid = our_keyid;
+ } else if (auth->our_keyid == 0) {
+ otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh));
+ auth->our_keyid = 1;
+ }
+
+ /* Reply with our own Key Exchange Message */
+ err = create_v1_key_exchange_message(auth, 1, privkey);
+ if (err) goto err;
+ *havemsgp = 1;
+ }
+
+ /* Compute the session id */
+ err = otrl_dh_compute_v1_session_id(&(auth->our_dh),
+ auth->their_pub, auth->secure_session_id,
+ &(auth->secure_session_id_len),
+ &(auth->session_id_half));
+ if (err) goto err;
+
+ /* We've completed our end of the authentication */
+ auth->protocol_version = 1;
+ if (auth_succeeded) err = auth_succeeded(auth, asdata);
+ auth->our_keyid = 0;
+ auth->authstate = OTRL_AUTHSTATE_NONE;
+
+ return err;
+
+invval:
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
+memerr:
+ err = gcry_error(GPG_ERR_ENOMEM);
+err:
+ free(buf);
+ gcry_sexp_release(pubs);
+ gcry_mpi_release(received_pub);
+ return err;
+}
+
+#ifdef OTRL_TESTING_AUTH
+#include "mem.h"
+#include "privkey.h"
+
+#define CHECK_ERR if (err) { printf("Error: %s\n", gcry_strerror(err)); return 1; }
+
+static gcry_error_t starting(const OtrlAuthInfo *auth, void *asdata)
+{
+ char *name = asdata;
+
+ fprintf(stderr, "\nStarting ENCRYPTED mode for %s (v%d).\n", name, auth->protocol_version);
+
+ fprintf(stderr, "\nour_dh (%d):", auth->our_keyid);
+ gcry_mpi_dump(auth->our_dh.pub);
+ fprintf(stderr, "\ntheir_pub (%d):", auth->their_keyid);
+ gcry_mpi_dump(auth->their_pub);
+
+ debug_data("\nTheir fingerprint", auth->their_fingerprint, 20);
+ debug_data("\nSecure session id", auth->secure_session_id,
+ auth->secure_session_id_len);
+ fprintf(stderr, "Sessionid half: %d\n\n", auth->session_id_half);
+
+ return gpg_error(GPG_ERR_NO_ERROR);
+}
+
+int main(int argc, char **argv)
+{
+ OtrlAuthInfo alice, bob;
+ gcry_error_t err;
+ int havemsg;
+ OtrlUserState us;
+ OtrlPrivKey *alicepriv, *bobpriv;
+
+ otrl_mem_init();
+ otrl_dh_init();
+ otrl_auth_new(&alice);
+ otrl_auth_new(&bob);
+
+ us = otrl_userstate_create();
+ otrl_privkey_read(us, "/home/iang/.gaim/otr.private_key");
+ alicepriv = otrl_privkey_find(us, "oneeyedian", "prpl-oscar");
+ bobpriv = otrl_privkey_find(us, "otr4ian", "prpl-oscar");
+
+ printf("\n\n ***** V2 *****\n\n");
+
+ err = otrl_auth_start_v2(&bob, NULL, 0);
+ CHECK_ERR
+ printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
+ err = otrl_auth_handle_commit(&alice, bob.lastauthmsg, NULL, 0);
+ CHECK_ERR
+ printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), alice.lastauthmsg);
+ err = otrl_auth_handle_key(&bob, alice.lastauthmsg, &havemsg, bobpriv);
+ CHECK_ERR
+ if (havemsg) {
+ printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
+ } else {
+ printf("\nIGNORE\n\n");
+ }
+ err = otrl_auth_handle_revealsig(&alice, bob.lastauthmsg, &havemsg,
+ alicepriv, starting, "Alice");
+ CHECK_ERR
+ if (havemsg) {
+ printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), alice.lastauthmsg);
+ } else {
+ printf("\nIGNORE\n\n");
+ }
+ err = otrl_auth_handle_signature(&bob, alice.lastauthmsg, &havemsg,
+ starting, "Bob");
+ CHECK_ERR
+
+ printf("\n\n ***** V1 *****\n\n");
+
+ err = otrl_auth_start_v1(&bob, NULL, 0, bobpriv);
+ CHECK_ERR
+ printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
+ err = otrl_auth_handle_v1_key_exchange(&alice, bob.lastauthmsg,
+ &havemsg, alicepriv, NULL, 0, starting, "Alice");
+ CHECK_ERR
+ if (havemsg) {
+ printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), alice.lastauthmsg);
+ } else {
+ printf("\nIGNORE\n\n");
+ }
+ err = otrl_auth_handle_v1_key_exchange(&bob, alice.lastauthmsg,
+ &havemsg, bobpriv, NULL, 0, starting, "Bob");
+ CHECK_ERR
+ if (havemsg) {
+ printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg);
+ } else {
+ printf("\nIGNORE\n\n");
+ }
+
+ otrl_userstate_free(us);
+ otrl_auth_clear(&alice);
+ otrl_auth_clear(&bob);
+ return 0;
+}
+#endif
diff --git a/plugins/MirOTR/libotr/src/auth.h b/plugins/MirOTR/libotr/src/auth.h
new file mode 100644
index 0000000000..ac9c668d94
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/auth.h
@@ -0,0 +1,157 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __AUTH_H__
+#define __AUTH_H__
+
+#include <gcrypt.h>
+#include "dh.h"
+
+typedef enum {
+ OTRL_AUTHSTATE_NONE,
+ OTRL_AUTHSTATE_AWAITING_DHKEY,
+ OTRL_AUTHSTATE_AWAITING_REVEALSIG,
+ OTRL_AUTHSTATE_AWAITING_SIG,
+ OTRL_AUTHSTATE_V1_SETUP
+} OtrlAuthState;
+
+typedef struct {
+ OtrlAuthState authstate; /* Our state */
+
+ DH_keypair our_dh; /* Our D-H key */
+ unsigned int our_keyid; /* ...and its keyid */
+
+ unsigned char *encgx; /* The encrypted value of g^x */
+ size_t encgx_len; /* ...and its length */
+ unsigned char r[16]; /* The encryption key */
+
+ unsigned char hashgx[32]; /* SHA256(g^x) */
+
+ gcry_mpi_t their_pub; /* Their D-H public key */
+ unsigned int their_keyid; /* ...and its keyid */
+
+ gcry_cipher_hd_t enc_c, enc_cp; /* c and c' encryption keys */
+ gcry_md_hd_t mac_m1, mac_m1p; /* m1 and m1' MAC keys */
+ gcry_md_hd_t mac_m2, mac_m2p; /* m2 and m2' MAC keys */
+
+ unsigned char their_fingerprint[20]; /* The fingerprint of their
+ long-term signing key */
+
+ int initiated; /* Did we initiate this
+ authentication? */
+
+ unsigned int protocol_version; /* The protocol version number
+ used to authenticate. */
+
+ unsigned char secure_session_id[20]; /* The secure session id */
+ size_t secure_session_id_len; /* And its actual length,
+ which may be either 20 (for
+ v1) or 8 (for v2) */
+ OtrlSessionIdHalf session_id_half; /* Which half of the session
+ id gets shown in bold */
+
+ char *lastauthmsg; /* The last auth message
+ (base-64 encoded) we sent,
+ in case we need to
+ retransmit it. */
+} OtrlAuthInfo;
+
+#include "privkey-t.h"
+
+/*
+ * Initialize the fields of an OtrlAuthInfo (already allocated).
+ */
+void otrl_auth_new(OtrlAuthInfo *auth);
+
+/*
+ * Clear the fields of an OtrlAuthInfo (but leave it allocated).
+ */
+void otrl_auth_clear(OtrlAuthInfo *auth);
+
+/*
+ * Start a fresh AKE (version 2) using the given OtrlAuthInfo. Generate
+ * a fresh DH keypair to use. If no error is returned, the message to
+ * transmit will be contained in auth->lastauthmsg.
+ */
+gcry_error_t otrl_auth_start_v2(OtrlAuthInfo *auth);
+
+/*
+ * Handle an incoming D-H Commit Message. If no error is returned, the
+ * message to send will be left in auth->lastauthmsg. Generate a fresh
+ * keypair to use.
+ */
+gcry_error_t otrl_auth_handle_commit(OtrlAuthInfo *auth,
+ const char *commitmsg);
+
+/*
+ * Handle an incoming D-H Key Message. If no error is returned, and
+ * *havemsgp is 1, the message to sent will be left in auth->lastauthmsg.
+ * Use the given private authentication key to sign messages.
+ */
+gcry_error_t otrl_auth_handle_key(OtrlAuthInfo *auth, const char *keymsg,
+ int *havemsgp, OtrlPrivKey *privkey);
+
+/*
+ * Handle an incoming Reveal Signature Message. If no error is
+ * returned, and *havemsgp is 1, the message to be sent will be left in
+ * auth->lastauthmsg. Use the given private authentication key to sign
+ * messages. Call the auth_succeeded callback if authentication is
+ * successful.
+ */
+gcry_error_t otrl_auth_handle_revealsig(OtrlAuthInfo *auth,
+ const char *revealmsg, int *havemsgp, OtrlPrivKey *privkey,
+ gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata),
+ void *asdata);
+
+/*
+ * Handle an incoming Signature Message. If no error is returned, and
+ * *havemsgp is 1, the message to be sent will be left in
+ * auth->lastauthmsg. Call the auth_succeeded callback if
+ * authentication is successful.
+ */
+gcry_error_t otrl_auth_handle_signature(OtrlAuthInfo *auth,
+ const char *sigmsg, int *havemsgp,
+ gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata),
+ void *asdata);
+
+/*
+ * Start a fresh AKE (version 1) using the given OtrlAuthInfo. If
+ * our_dh is NULL, generate a fresh DH keypair to use. Otherwise, use a
+ * copy of the one passed (with the given keyid). Use the given private
+ * key to sign the message. If no error is returned, the message to
+ * transmit will be contained in auth->lastauthmsg.
+ */
+gcry_error_t otrl_auth_start_v1(OtrlAuthInfo *auth, DH_keypair *our_dh,
+ unsigned int our_keyid, OtrlPrivKey *privkey);
+
+/*
+ * Handle an incoming v1 Key Exchange Message. If no error is returned,
+ * and *havemsgp is 1, the message to be sent will be left in
+ * auth->lastauthmsg. Use the given private authentication key to sign
+ * messages. Call the auth_secceeded callback if authentication is
+ * successful. If non-NULL, use a copy of the given D-H keypair, with
+ * the given keyid.
+ */
+gcry_error_t otrl_auth_handle_v1_key_exchange(OtrlAuthInfo *auth,
+ const char *keyexchmsg, int *havemsgp, OtrlPrivKey *privkey,
+ DH_keypair *our_dh, unsigned int our_keyid,
+ gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata),
+ void *asdata);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/b64.c b/plugins/MirOTR/libotr/src/b64.c
new file mode 100644
index 0000000000..222f56634c
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/b64.c
@@ -0,0 +1,249 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* Modified from: */
+
+/*********************************************************************\
+
+MODULE NAME: b64.c
+
+AUTHOR: Bob Trower 08/04/01
+
+LICENCE: Copyright (c) 2001 Bob Trower, Trantor Standard Systems Inc.
+
+ Permission is hereby granted, free of charge, to any person
+ obtaining a copy of this software and associated
+ documentation files (the "Software"), to deal in the
+ Software without restriction, including without limitation
+ the rights to use, copy, modify, merge, publish, distribute,
+ sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so,
+ subject to the following conditions:
+
+ The above copyright notice and this permission notice shall
+ be included in all copies or substantial portions of the
+ Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
+ KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+ WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
+ OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+ OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+VERSION HISTORY:
+ Bob Trower 08/04/01 -- Create Version 0.00.00B
+
+\******************************************************************* */
+
+/* system headers */
+#include <stdlib.h>
+#include <string.h>
+
+/* libotr headers */
+#include "b64.h"
+
+/*
+** Translation Table as described in RFC1113
+*/
+static const char cb64[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+/*
+** Translation Table to decode (created by author)
+*/
+static const char cd64[]="|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\]^_`abcdefghijklmnopq";
+
+/*
+** encodeblock
+**
+** encode up to 3 8-bit binary bytes as 4 '6-bit' characters.
+** len must be 1, 2, or 3.
+*/
+static void encodeblock( char *out, const unsigned char *in, size_t len )
+{
+ unsigned char in0, in1, in2;
+ in0 = in[0];
+ in1 = len > 1 ? in[1] : 0;
+ in2 = len > 2 ? in[2] : 0;
+
+ out[0] = cb64[ in0 >> 2 ];
+ out[1] = cb64[ ((in0 & 0x03) << 4) | ((in1 & 0xf0) >> 4) ];
+ out[2] = len > 1 ? cb64[ ((in1 & 0x0f) << 2) | ((in2 & 0xc0) >> 6) ]
+ : '=';
+ out[3] = len > 2 ? cb64[ in2 & 0x3f ]
+ : '=';
+}
+
+/*
+ * base64 encode data. Insert no linebreaks or whitespace.
+ *
+ * The buffer base64data must contain at least ((datalen+2)/3)*4 bytes of
+ * space. This function will return the number of bytes actually used.
+ */
+size_t otrl_base64_encode(char *base64data, const unsigned char *data,
+ size_t datalen)
+{
+ size_t base64len = 0;
+
+ while(datalen > 2) {
+ encodeblock(base64data, data, 3);
+ base64data += 4;
+ base64len += 4;
+ data += 3;
+ datalen -= 3;
+ }
+ if (datalen > 0) {
+ encodeblock(base64data, data, datalen);
+ base64len += 4;
+ }
+
+ return base64len;
+}
+
+static size_t decode(unsigned char *out, const char *in, size_t b64len)
+{
+ size_t written = 0;
+ unsigned char c = 0;
+
+ if (b64len > 0) {
+ c = in[0] << 2;
+ }
+ if (b64len > 1) {
+ out[0] = c | in[1] >> 4;
+ written = 1;
+ c = in[1] << 4;
+ }
+ if (b64len > 2) {
+ out[1] = c | in[2] >> 2;
+ written = 2;
+ c = in[2] << 6;
+ }
+ if (b64len > 3) {
+ out[2] = c | in[3];
+ written = 3;
+ }
+ return written;
+}
+
+/*
+ * base64 decode data. Skip non-base64 chars, and terminate at the
+ * first '=', or the end of the buffer.
+ *
+ * The buffer data must contain at least (base64len / 4) * 3 bytes of
+ * space. This function will return the number of bytes actually used.
+ */
+size_t otrl_base64_decode(unsigned char *data, const char *base64data,
+ size_t base64len)
+{
+ size_t datalen = 0;
+ char b64[4];
+ size_t b64accum = 0;
+
+ while(base64len > 0) {
+ char b = *base64data;
+ unsigned char bdecode;
+ ++base64data;
+ --base64len;
+ if (b < '+' || b > 'z') continue; /* Skip non-base64 chars */
+ if (b == '=') {
+ /* Force termination */
+ datalen += decode(data, b64, b64accum);
+ base64len = 0;
+ } else {
+ bdecode = cd64[b-'+'];
+ if (bdecode == '$') continue; /* Skip non-base64 chars */
+ b64[b64accum++] = bdecode-'>';
+ if (b64accum == 4) {
+ /* We have a complete block; decode it. */
+ size_t written = decode(data, b64, b64accum);
+ data += written;
+ datalen += written;
+ b64accum = 0;
+ }
+ }
+ }
+
+ /* Just discard any short block at the end. */
+
+ return datalen;
+}
+
+/*
+ * Base64-encode a block of data, stick "?OTR:" and "." around it, and
+ * return the result, or NULL in the event of a memory error. The
+ * caller must free() the return value.
+ */
+char *otrl_base64_otr_encode(const unsigned char *buf, size_t buflen)
+{
+ char *base64buf;
+ size_t base64len;
+
+ /* Make the base64-encoding. */
+ base64len = ((buflen + 2) / 3) * 4;
+ base64buf = malloc(5 + base64len + 1 + 1);
+ if (base64buf == NULL) {
+ return NULL;
+ }
+ memcpy(base64buf, "?OTR:", 5);
+ otrl_base64_encode(base64buf+5, buf, buflen);
+ base64buf[5 + base64len] = '.';
+ base64buf[5 + base64len + 1] = '\0';
+
+ return base64buf;
+}
+
+/*
+ * Base64-decode the portion of the given message between "?OTR:" and
+ * ".". Set *bufp to the decoded data, and set *lenp to its length.
+ * The caller must free() the result. Return 0 on success, -1 on a
+ * memory error, or -2 on invalid input.
+ */
+int otrl_base64_otr_decode(const char *msg, unsigned char **bufp,
+ size_t *lenp)
+{
+ char *otrtag, *endtag;
+ size_t msglen, rawlen;
+ unsigned char *rawmsg;
+
+ otrtag = strstr(msg, "?OTR:");
+ if (!otrtag) {
+ return -2;
+ }
+ endtag = strchr(otrtag, '.');
+ if (endtag) {
+ msglen = endtag-otrtag;
+ } else {
+ return -2;
+ }
+
+ /* Base64-decode the message */
+ rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
+ rawmsg = malloc(rawlen);
+ if (!rawmsg && rawlen > 0) {
+ return -1;
+ }
+ rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
+
+ *bufp = rawmsg;
+ *lenp = rawlen;
+
+ return 0;
+}
diff --git a/plugins/MirOTR/libotr/src/b64.h b/plugins/MirOTR/libotr/src/b64.h
new file mode 100644
index 0000000000..34ef03f416
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/b64.h
@@ -0,0 +1,57 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __B64_H__
+#define __B64_H__
+
+/*
+ * base64 encode data. Insert no linebreaks or whitespace.
+ *
+ * The buffer base64data must contain at least ((datalen+2)/3)*4 bytes of
+ * space. This function will return the number of bytes actually used.
+ */
+size_t otrl_base64_encode(char *base64data, const unsigned char *data,
+ size_t datalen);
+
+/*
+ * base64 decode data. Skip non-base64 chars, and terminate at the
+ * first '=', or the end of the buffer.
+ *
+ * The buffer data must contain at least (base64len / 4) * 3 bytes of
+ * space. This function will return the number of bytes actually used.
+ */
+size_t otrl_base64_decode(unsigned char *data, const char *base64data,
+ size_t base64len);
+
+/*
+ * Base64-encode a block of data, stick "?OTR:" and "." around it, and
+ * return the result, or NULL in the event of a memory error.
+ */
+char *otrl_base64_otr_encode(const unsigned char *buf, size_t buflen);
+
+/*
+ * Base64-decode the portion of the given message between "?OTR:" and
+ * ".". Set *bufp to the decoded data, and set *lenp to its length.
+ * The caller must free() the result. Return 0 on success, -1 on a
+ * memory error, or -2 on invalid input.
+ */
+int otrl_base64_otr_decode(const char *msg, unsigned char **bufp,
+ size_t *lenp);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/context.c b/plugins/MirOTR/libotr/src/context.c
new file mode 100644
index 0000000000..d0d912f76a
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/context.c
@@ -0,0 +1,330 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* system headers */
+#include <stdlib.h>
+#include <assert.h>
+
+/* libgcrypt headers */
+#include <gcrypt.h>
+
+/* libotr headers */
+#include "context.h"
+
+/* Create a new connection context. */
+static ConnContext * new_context(const char * user, const char * accountname,
+ const char * protocol)
+{
+ ConnContext * context;
+ OtrlSMState *smstate;
+ context = malloc(sizeof(*context));
+ assert(context != NULL);
+ context->username = _strdup(user);
+ context->accountname = _strdup(accountname);
+ context->protocol = _strdup(protocol);
+ context->fragment = NULL;
+ context->fragment_len = 0;
+ context->fragment_n = 0;
+ context->fragment_k = 0;
+ context->msgstate = OTRL_MSGSTATE_PLAINTEXT;
+ otrl_auth_new(&(context->auth));
+
+ smstate = malloc(sizeof(OtrlSMState));
+ assert(smstate != NULL);
+ otrl_sm_state_new(smstate);
+ context->smstate = smstate;
+
+ context->fingerprint_root.fingerprint = NULL;
+ context->fingerprint_root.context = context;
+ context->fingerprint_root.next = NULL;
+ context->fingerprint_root.tous = NULL;
+ context->active_fingerprint = NULL;
+ context->their_keyid = 0;
+ context->their_y = NULL;
+ context->their_old_y = NULL;
+ context->our_keyid = 0;
+ context->our_dh_key.groupid = 0;
+ context->our_dh_key.priv = NULL;
+ context->our_dh_key.pub = NULL;
+ context->our_old_dh_key.groupid = 0;
+ context->our_old_dh_key.priv = NULL;
+ context->our_old_dh_key.pub = NULL;
+ otrl_dh_session_blank(&(context->sesskeys[0][0]));
+ otrl_dh_session_blank(&(context->sesskeys[0][1]));
+ otrl_dh_session_blank(&(context->sesskeys[1][0]));
+ otrl_dh_session_blank(&(context->sesskeys[1][1]));
+ memset(context->sessionid, 0, 20);
+ context->sessionid_len = 0;
+ context->protocol_version = 0;
+ context->numsavedkeys = 0;
+ context->preshared_secret = NULL;
+ context->preshared_secret_len = 0;
+ context->saved_mac_keys = NULL;
+ context->generation = 0;
+ context->lastsent = 0;
+ context->lastmessage = NULL;
+ context->may_retransmit = 0;
+ context->otr_offer = OFFER_NOT;
+ context->app_data = NULL;
+ context->app_data_free = NULL;
+ context->next = NULL;
+ return context;
+}
+
+ConnContext * otrl_context_new(const char * user, const char * accountname,
+ const char * protocol)
+{
+ return new_context(user, accountname, protocol);
+}
+
+/* Look up a connection context by name/account/protocol from the given
+ * OtrlUserState. If add_if_missing is true, allocate and return a new
+ * context if one does not currently exist. In that event, call
+ * add_app_data(data, context) so that app_data and app_data_free can be
+ * filled in by the application, and set *addedp to 1. */
+ConnContext * otrl_context_find(OtrlUserState us, const char *user,
+ const char *accountname, const char *protocol, int add_if_missing,
+ int *addedp,
+ void (*add_app_data)(void *data, ConnContext *context), void *data)
+{
+ ConnContext ** curp;
+ int usercmp = 1, acctcmp = 1, protocmp = 1;
+ if (addedp) *addedp = 0;
+ if (!user || !accountname || !protocol) return NULL;
+ for (curp = &(us->context_root); *curp; curp = &((*curp)->next)) {
+ if ((usercmp = strcmp((*curp)->username, user)) > 0 ||
+ (usercmp == 0 &&
+ (acctcmp = strcmp((*curp)->accountname, accountname)) > 0) ||
+ (usercmp == 0 && acctcmp == 0 &&
+ (protocmp = strcmp((*curp)->protocol, protocol)) >= 0))
+ /* We're at the right place in the list. We've either found
+ * it, or gone too far. */
+ break;
+ }
+ if (usercmp == 0 && acctcmp == 0 && protocmp == 0) {
+ /* Found it! */
+ return *curp;
+ }
+ if (add_if_missing) {
+ ConnContext *newctx;
+ if (addedp) *addedp = 1;
+ newctx = new_context(user, accountname, protocol);
+ newctx->next = *curp;
+ if (*curp) {
+ (*curp)->tous = &(newctx->next);
+ }
+ *curp = newctx;
+ newctx->tous = curp;
+ if (add_app_data) {
+ add_app_data(data, *curp);
+ }
+ return *curp;
+ }
+ return NULL;
+}
+
+/* Find a fingerprint in a given context, perhaps adding it if not
+ * present. */
+Fingerprint *otrl_context_find_fingerprint(ConnContext *context,
+ unsigned char fingerprint[20], int add_if_missing, int *addedp)
+{
+ Fingerprint *f = context->fingerprint_root.next;
+ if (addedp) *addedp = 0;
+ while(f) {
+ if (!memcmp(f->fingerprint, fingerprint, 20)) return f;
+ f = f->next;
+ }
+ /* Didn't find it. */
+ if (add_if_missing) {
+ if (addedp) *addedp = 1;
+ f = malloc(sizeof(*f));
+ assert(f != NULL);
+ f->fingerprint = malloc(20);
+ assert(f->fingerprint != NULL);
+ memcpy(f->fingerprint, fingerprint, 20);
+ f->context = context;
+ f->trust = NULL;
+ f->next = context->fingerprint_root.next;
+ if (f->next) {
+ f->next->tous = &(f->next);
+ }
+ context->fingerprint_root.next = f;
+ f->tous = &(context->fingerprint_root.next);
+ return f;
+ }
+ return NULL;
+}
+
+/* Set the trust level for a given fingerprint */
+void otrl_context_set_trust(Fingerprint *fprint, const char *trust)
+{
+ if (fprint == NULL) return;
+
+ free(fprint->trust);
+ fprint->trust = trust ? _strdup(trust) : NULL;
+}
+
+/* Set the preshared secret for a given fingerprint. Note that this
+ * currently only stores the secret in the ConnContext structure, but
+ * doesn't yet do anything with it. */
+void otrl_context_set_preshared_secret(ConnContext *context,
+ const unsigned char *secret, size_t secret_len)
+{
+ free(context->preshared_secret);
+ context->preshared_secret = NULL;
+ context->preshared_secret_len = 0;
+
+ if (secret_len) {
+ context->preshared_secret = malloc(secret_len);
+ if (context->preshared_secret) {
+ memcpy(context->preshared_secret, secret, secret_len);
+ context->preshared_secret_len = secret_len;
+ }
+ }
+}
+
+/* Force a context into the OTRL_MSGSTATE_FINISHED state. */
+void otrl_context_force_finished(ConnContext *context)
+{
+ context->msgstate = OTRL_MSGSTATE_FINISHED;
+ otrl_auth_clear(&(context->auth));
+ free(context->fragment);
+ context->fragment = NULL;
+ context->fragment_len = 0;
+ context->fragment_n = 0;
+ context->fragment_k = 0;
+ context->active_fingerprint = NULL;
+ context->their_keyid = 0;
+ gcry_mpi_release(context->their_y);
+ context->their_y = NULL;
+ gcry_mpi_release(context->their_old_y);
+ context->their_old_y = NULL;
+ context->our_keyid = 0;
+ otrl_dh_keypair_free(&(context->our_dh_key));
+ otrl_dh_keypair_free(&(context->our_old_dh_key));
+ otrl_dh_session_free(&(context->sesskeys[0][0]));
+ otrl_dh_session_free(&(context->sesskeys[0][1]));
+ otrl_dh_session_free(&(context->sesskeys[1][0]));
+ otrl_dh_session_free(&(context->sesskeys[1][1]));
+ memset(context->sessionid, 0, 20);
+ context->sessionid_len = 0;
+ free(context->preshared_secret);
+ context->preshared_secret = NULL;
+ context->preshared_secret_len = 0;
+ context->protocol_version = 0;
+ context->numsavedkeys = 0;
+ free(context->saved_mac_keys);
+ context->saved_mac_keys = NULL;
+ gcry_free(context->lastmessage);
+ context->lastmessage = NULL;
+ context->may_retransmit = 0;
+ otrl_sm_state_free(context->smstate);
+}
+
+/* Force a context into the OTRL_MSGSTATE_PLAINTEXT state. */
+void otrl_context_force_plaintext(ConnContext *context)
+{
+ /* First clean up everything we'd need to do for the FINISHED state */
+ otrl_context_force_finished(context);
+
+ /* And just set the state properly */
+ context->msgstate = OTRL_MSGSTATE_PLAINTEXT;
+}
+
+/* Forget a fingerprint (so long as it's not the active one. If it's a
+ * fingerprint_root, forget the whole context (as long as
+ * and_maybe_context is set, and it's PLAINTEXT). Also, if it's not
+ * the fingerprint_root, but it's the only fingerprint, and we're
+ * PLAINTEXT, forget the whole context if and_maybe_context is set. */
+void otrl_context_forget_fingerprint(Fingerprint *fprint,
+ int and_maybe_context)
+{
+ ConnContext *context = fprint->context;
+ if (fprint == &(context->fingerprint_root)) {
+ if (context->msgstate == OTRL_MSGSTATE_PLAINTEXT &&
+ and_maybe_context) {
+ otrl_context_forget(context);
+ }
+ } else {
+ if (context->msgstate != OTRL_MSGSTATE_PLAINTEXT ||
+ context->active_fingerprint != fprint) {
+ free(fprint->fingerprint);
+ free(fprint->trust);
+ *(fprint->tous) = fprint->next;
+ if (fprint->next) {
+ fprint->next->tous = fprint->tous;
+ }
+ free(fprint);
+ if (context->msgstate == OTRL_MSGSTATE_PLAINTEXT &&
+ context->fingerprint_root.next == NULL &&
+ and_maybe_context) {
+ /* We just deleted the only fingerprint. Forget the
+ * whole thing. */
+ otrl_context_forget(context);
+ }
+ }
+ }
+}
+
+/* Forget a whole context, so long as it's PLAINTEXT. */
+void otrl_context_forget(ConnContext *context)
+{
+ if (context->msgstate != OTRL_MSGSTATE_PLAINTEXT) return;
+
+ /* Just to be safe, force to plaintext. This also frees any
+ * extraneous data lying around. */
+ otrl_context_force_plaintext(context);
+
+ /* First free all the Fingerprints */
+ while(context->fingerprint_root.next) {
+ otrl_context_forget_fingerprint(context->fingerprint_root.next, 0);
+ }
+ /* Now free all the dynamic info here */
+ free(context->username);
+ free(context->accountname);
+ free(context->protocol);
+ free(context->smstate);
+ context->username = NULL;
+ context->accountname = NULL;
+ context->protocol = NULL;
+ context->smstate = NULL;
+
+ /* Free the application data, if it exists */
+ if (context->app_data && context->app_data_free) {
+ (context->app_data_free)(context->app_data);
+ context->app_data = NULL;
+ }
+
+ /* Fix the list linkages */
+ *(context->tous) = context->next;
+ if (context->next) {
+ context->next->tous = context->tous;
+ }
+
+ free(context);
+}
+
+/* Forget all the contexts in a given OtrlUserState. */
+void otrl_context_forget_all(OtrlUserState us)
+{
+ while (us->context_root) {
+ otrl_context_force_plaintext(us->context_root);
+ otrl_context_forget(us->context_root);
+ }
+}
diff --git a/plugins/MirOTR/libotr/src/context.h b/plugins/MirOTR/libotr/src/context.h
new file mode 100644
index 0000000000..91a1b45c52
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/context.h
@@ -0,0 +1,182 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __CONTEXT_H__
+#define __CONTEXT_H__
+
+#include <gcrypt.h>
+
+#include "dh.h"
+#include "auth.h"
+#include "sm.h"
+
+typedef enum {
+ OTRL_MSGSTATE_PLAINTEXT, /* Not yet started an encrypted
+ conversation */
+ OTRL_MSGSTATE_ENCRYPTED, /* Currently in an encrypted
+ conversation */
+ OTRL_MSGSTATE_FINISHED /* The remote side has sent us a
+ notification that he has ended
+ his end of the encrypted
+ conversation; prevent any
+ further messages from being
+ sent to him. */
+} OtrlMessageState;
+
+typedef struct s_fingerprint {
+ struct s_fingerprint *next; /* The next fingerprint in the list */
+ struct s_fingerprint **tous; /* A pointer to the pointer to us */
+ unsigned char *fingerprint; /* The fingerprint, or NULL */
+ struct context *context; /* The context to which we belong */
+ char *trust; /* The trust level of the fingerprint */
+} Fingerprint;
+
+typedef struct context {
+ struct context * next; /* Linked list pointer */
+ struct context ** tous; /* A pointer to the pointer to us */
+
+ char * username; /* The user this context is for */
+ char * accountname; /* The username is relative to
+ this account... */
+ char * protocol; /* ... and this protocol */
+
+ char *fragment; /* The part of the fragmented message
+ we've seen so far */
+ size_t fragment_len; /* The length of fragment */
+ unsigned short fragment_n; /* The total number of fragments
+ in this message */
+ unsigned short fragment_k; /* The highest fragment number
+ we've seen so far for this
+ message */
+
+ OtrlMessageState msgstate; /* The state of message disposition
+ with this user */
+ OtrlAuthInfo auth; /* The state of ongoing
+ authentication with this user */
+
+ Fingerprint fingerprint_root; /* The root of a linked list of
+ Fingerprints entries */
+ Fingerprint *active_fingerprint; /* Which fingerprint is in use now?
+ A pointer into the above list */
+ unsigned int their_keyid; /* current keyid used by other side;
+ this is set to 0 if we get a
+ OTRL_TLV_DISCONNECTED message from
+ them. */
+ gcry_mpi_t their_y; /* Y[their_keyid] (their DH pubkey) */
+ gcry_mpi_t their_old_y; /* Y[their_keyid-1] (their prev DH
+ pubkey) */
+ unsigned int our_keyid; /* current keyid used by us */
+ DH_keypair our_dh_key; /* DH key[our_keyid] */
+ DH_keypair our_old_dh_key; /* DH key[our_keyid-1] */
+
+ DH_sesskeys sesskeys[2][2]; /* sesskeys[i][j] are the session keys
+ derived from DH key[our_keyid-i]
+ and mpi Y[their_keyid-j] */
+
+ unsigned char sessionid[20]; /* The sessionid and bold half */
+ size_t sessionid_len; /* determined when this private */
+ OtrlSessionIdHalf sessionid_half; /* connection was established. */
+
+ unsigned int protocol_version; /* The version of OTR in use */
+
+ unsigned char *preshared_secret; /* A secret you share with this
+ user, in order to do
+ authentication. */
+ size_t preshared_secret_len; /* The length of the above secret. */
+
+ /* saved mac keys to be revealed later */
+ unsigned int numsavedkeys;
+ unsigned char *saved_mac_keys;
+
+ /* generation number: increment every time we go private, and never
+ * reset to 0 (unless we remove the context entirely) */
+ unsigned int generation;
+
+ time_t lastsent; /* The last time a Data Message was sent */
+ char *lastmessage; /* The plaintext of the last Data Message sent */
+ int may_retransmit; /* Is the last message eligible for
+ retransmission? */
+
+ enum {
+ OFFER_NOT,
+ OFFER_SENT,
+ OFFER_REJECTED,
+ OFFER_ACCEPTED
+ } otr_offer; /* Has this correspondent repsponded to our
+ OTR offers? */
+
+ /* Application data to be associated with this context */
+ void *app_data;
+ /* A function to free the above data when we forget this context */
+ void (*app_data_free)(void *);
+
+ OtrlSMState *smstate; /* The state of the current
+ socialist millionaires exchange */
+} ConnContext;
+
+#include "userstate.h"
+
+ConnContext * otrl_context_new(const char * user, const char * accountname,
+ const char * protocol);
+
+/* Look up a connection context by name/account/protocol from the given
+ * OtrlUserState. If add_if_missing is true, allocate and return a new
+ * context if one does not currently exist. In that event, call
+ * add_app_data(data, context) so that app_data and app_data_free can be
+ * filled in by the application, and set *addedp to 1. */
+ConnContext * otrl_context_find(OtrlUserState us, const char *user,
+ const char *accountname, const char *protocol, int add_if_missing,
+ int *addedp,
+ void (*add_app_data)(void *data, ConnContext *context), void *data);
+
+/* Find a fingerprint in a given context, perhaps adding it if not
+ * present. */
+Fingerprint *otrl_context_find_fingerprint(ConnContext *context,
+ unsigned char fingerprint[20], int add_if_missing, int *addedp);
+
+/* Set the trust level for a given fingerprint */
+void otrl_context_set_trust(Fingerprint *fprint, const char *trust);
+
+/* Set the preshared secret for a given fingerprint. Note that this
+ * currently only stores the secret in the ConnContext structure, but
+ * doesn't yet do anything with it. */
+void otrl_context_set_preshared_secret(ConnContext *context,
+ const unsigned char *secret, size_t secret_len);
+
+/* Force a context into the OTRL_MSGSTATE_FINISHED state. */
+void otrl_context_force_finished(ConnContext *context);
+
+/* Force a context into the OTRL_MSGSTATE_PLAINTEXT state. */
+void otrl_context_force_plaintext(ConnContext *context);
+
+/* Forget a fingerprint (so long as it's not the active one. If it's a
+ * fingerprint_root, forget the whole context (as long as
+ * and_maybe_context is set, and it's PLAINTEXT). Also, if it's not
+ * the fingerprint_root, but it's the only fingerprint, and we're
+ * PLAINTEXT, forget the whole context if and_maybe_context is set. */
+void otrl_context_forget_fingerprint(Fingerprint *fprint,
+ int and_maybe_context);
+
+/* Forget a whole context, so long as it's PLAINTEXT. */
+void otrl_context_forget(ConnContext *context);
+
+/* Forget all the contexts in a given OtrlUserState. */
+void otrl_context_forget_all(OtrlUserState us);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/dh.c b/plugins/MirOTR/libotr/src/dh.c
new file mode 100644
index 0000000000..e23788dd08
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/dh.c
@@ -0,0 +1,466 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* system headers */
+#include <stdlib.h>
+
+/* libgcrypt headers */
+#include <gcrypt.h>
+
+/* libotr headers */
+#include "dh.h"
+
+static const char* DH1536_MODULUS_S = "0x"
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+ "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+ "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF";
+static const char *DH1536_GENERATOR_S = "0x02";
+static const int DH1536_MOD_LEN_BITS = 1536;
+static const int DH1536_MOD_LEN_BYTES = 192;
+
+static gcry_mpi_t DH1536_MODULUS = NULL;
+static gcry_mpi_t DH1536_MODULUS_MINUS_2 = NULL;
+static gcry_mpi_t DH1536_GENERATOR = NULL;
+
+/*
+ * Call this once, at plugin load time. It sets up the modulus and
+ * generator MPIs.
+ */
+void otrl_dh_init(void)
+{
+ gcry_mpi_scan(&DH1536_MODULUS, GCRYMPI_FMT_HEX, DH1536_MODULUS_S, 0, NULL);
+ gcry_mpi_scan(&DH1536_GENERATOR, GCRYMPI_FMT_HEX, DH1536_GENERATOR_S,
+ 0, NULL);
+ DH1536_MODULUS_MINUS_2 = gcry_mpi_new(DH1536_MOD_LEN_BITS);
+ gcry_mpi_sub_ui(DH1536_MODULUS_MINUS_2, DH1536_MODULUS, 2);
+}
+
+/*
+ * Initialize the fields of a DH keypair.
+ */
+void otrl_dh_keypair_init(DH_keypair *kp)
+{
+ kp->groupid = 0;
+ kp->priv = NULL;
+ kp->pub = NULL;
+}
+
+/*
+ * Copy a DH_keypair.
+ */
+void otrl_dh_keypair_copy(DH_keypair *dst, const DH_keypair *src)
+{
+ dst->groupid = src->groupid;
+ dst->priv = gcry_mpi_copy(src->priv);
+ dst->pub = gcry_mpi_copy(src->pub);
+}
+
+/*
+ * Deallocate the contents of a DH_keypair (but not the DH_keypair
+ * itself)
+ */
+void otrl_dh_keypair_free(DH_keypair *kp)
+{
+ gcry_mpi_release(kp->priv);
+ gcry_mpi_release(kp->pub);
+ kp->priv = NULL;
+ kp->pub = NULL;
+}
+
+/*
+ * Generate a DH keypair for a specified group.
+ */
+gcry_error_t otrl_dh_gen_keypair(unsigned int groupid, DH_keypair *kp)
+{
+ unsigned char *secbuf = NULL;
+ gcry_mpi_t privkey = NULL;
+
+ if (groupid != DH1536_GROUP_ID) {
+ /* Invalid group id */
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Generate the secret key: a random 320-bit value */
+ secbuf = gcry_random_bytes_secure(40, GCRY_STRONG_RANDOM);
+ gcry_mpi_scan(&privkey, GCRYMPI_FMT_USG, secbuf, 40, NULL);
+ gcry_free(secbuf);
+
+ kp->groupid = groupid;
+ kp->priv = privkey;
+ kp->pub = gcry_mpi_new(DH1536_MOD_LEN_BITS);
+ gcry_mpi_powm(kp->pub, DH1536_GENERATOR, privkey, DH1536_MODULUS);
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/*
+ * Construct session keys from a DH keypair and someone else's public
+ * key.
+ */
+gcry_error_t otrl_dh_session(DH_sesskeys *sess, const DH_keypair *kp,
+ gcry_mpi_t y)
+{
+ gcry_mpi_t gab;
+ size_t gablen;
+ unsigned char *gabdata;
+ unsigned char *hashdata;
+ unsigned char sendbyte, rcvbyte;
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+
+ otrl_dh_session_blank(sess);
+
+ if (kp->groupid != DH1536_GROUP_ID) {
+ /* Invalid group id */
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Calculate the shared secret MPI */
+ gab = gcry_mpi_new(DH1536_MOD_LEN_BITS);
+ gcry_mpi_powm(gab, y, kp->priv, DH1536_MODULUS);
+
+ /* Output it in the right format */
+ gcry_mpi_print(GCRYMPI_FMT_USG, NULL, 0, &gablen, gab);
+ gabdata = gcry_malloc_secure(gablen + 5);
+ if (!gabdata) {
+ gcry_mpi_release(gab);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ gabdata[1] = (gablen >> 24) & 0xff;
+ gabdata[2] = (gablen >> 16) & 0xff;
+ gabdata[3] = (gablen >> 8) & 0xff;
+ gabdata[4] = gablen & 0xff;
+ gcry_mpi_print(GCRYMPI_FMT_USG, gabdata+5, gablen, NULL, gab);
+ gcry_mpi_release(gab);
+
+ hashdata = gcry_malloc_secure(20);
+ if (!hashdata) {
+ gcry_free(gabdata);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+
+ /* Are we the "high" or "low" end of the connection? */
+ if ( gcry_mpi_cmp(kp->pub, y) > 0 ) {
+ sendbyte = 0x01;
+ rcvbyte = 0x02;
+ } else {
+ sendbyte = 0x02;
+ rcvbyte = 0x01;
+ }
+
+ /* Calculate the sending encryption key */
+ gabdata[0] = sendbyte;
+ gcry_md_hash_buffer(GCRY_MD_SHA1, hashdata, gabdata, gablen+5);
+ err = gcry_cipher_open(&(sess->sendenc), GCRY_CIPHER_AES,
+ GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE);
+ if (err) goto err;
+ err = gcry_cipher_setkey(sess->sendenc, hashdata, 16);
+ if (err) goto err;
+
+ /* Calculate the sending MAC key */
+ gcry_md_hash_buffer(GCRY_MD_SHA1, sess->sendmackey, hashdata, 16);
+ err = gcry_md_open(&(sess->sendmac), GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC);
+ if (err) goto err;
+ err = gcry_md_setkey(sess->sendmac, sess->sendmackey, 20);
+ if (err) goto err;
+
+ /* Calculate the receiving encryption key */
+ gabdata[0] = rcvbyte;
+ gcry_md_hash_buffer(GCRY_MD_SHA1, hashdata, gabdata, gablen+5);
+ err = gcry_cipher_open(&(sess->rcvenc), GCRY_CIPHER_AES,
+ GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE);
+ if (err) goto err;
+ err = gcry_cipher_setkey(sess->rcvenc, hashdata, 16);
+ if (err) goto err;
+
+ /* Calculate the receiving MAC key (and save it in the DH_sesskeys
+ * struct, so we can reveal it later) */
+ gcry_md_hash_buffer(GCRY_MD_SHA1, sess->rcvmackey, hashdata, 16);
+ err = gcry_md_open(&(sess->rcvmac), GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC);
+ if (err) goto err;
+ err = gcry_md_setkey(sess->rcvmac, sess->rcvmackey, 20);
+ if (err) goto err;
+
+ gcry_free(gabdata);
+ gcry_free(hashdata);
+ return gcry_error(GPG_ERR_NO_ERROR);
+err:
+ otrl_dh_session_free(sess);
+ gcry_free(gabdata);
+ gcry_free(hashdata);
+ return err;
+}
+
+/*
+ * Compute the secure session id, two encryption keys, and four MAC keys
+ * given our DH key and their DH public key.
+ */
+gcry_error_t otrl_dh_compute_v2_auth_keys(const DH_keypair *our_dh,
+ gcry_mpi_t their_pub, unsigned char *sessionid, size_t *sessionidlenp,
+ gcry_cipher_hd_t *enc_c, gcry_cipher_hd_t *enc_cp,
+ gcry_md_hd_t *mac_m1, gcry_md_hd_t *mac_m1p,
+ gcry_md_hd_t *mac_m2, gcry_md_hd_t *mac_m2p)
+{
+ gcry_mpi_t s;
+ size_t slen;
+ unsigned char *sdata;
+ unsigned char *hashdata;
+ unsigned char ctr[16];
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+
+ *enc_c = NULL;
+ *enc_cp = NULL;
+ *mac_m1 = NULL;
+ *mac_m1p = NULL;
+ *mac_m2 = NULL;
+ *mac_m2p = NULL;
+ memset(ctr, 0, 16);
+
+ if (our_dh->groupid != DH1536_GROUP_ID) {
+ /* Invalid group id */
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Check that their_pub is in range */
+ if (gcry_mpi_cmp_ui(their_pub, 2) < 0 ||
+ gcry_mpi_cmp(their_pub, DH1536_MODULUS_MINUS_2) > 0) {
+ /* Invalid pubkey */
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Calculate the shared secret MPI */
+ s = gcry_mpi_new(DH1536_MOD_LEN_BITS);
+ gcry_mpi_powm(s, their_pub, our_dh->priv, DH1536_MODULUS);
+
+ /* Output it in the right format */
+ gcry_mpi_print(GCRYMPI_FMT_USG, NULL, 0, &slen, s);
+ sdata = gcry_malloc_secure(slen + 5);
+ if (!sdata) {
+ gcry_mpi_release(s);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ sdata[1] = (slen >> 24) & 0xff;
+ sdata[2] = (slen >> 16) & 0xff;
+ sdata[3] = (slen >> 8) & 0xff;
+ sdata[4] = slen & 0xff;
+ gcry_mpi_print(GCRYMPI_FMT_USG, sdata+5, slen, NULL, s);
+ gcry_mpi_release(s);
+
+ /* Calculate the session id */
+ hashdata = gcry_malloc_secure(32);
+ if (!hashdata) {
+ gcry_free(sdata);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ sdata[0] = 0x00;
+ gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5);
+ memcpy(sessionid, hashdata, 8);
+ *sessionidlenp = 8;
+
+ /* Calculate the encryption keys */
+ sdata[0] = 0x01;
+ gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5);
+
+ err = gcry_cipher_open(enc_c, GCRY_CIPHER_AES,
+ GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE);
+ if (err) goto err;
+ err = gcry_cipher_setkey(*enc_c, hashdata, 16);
+ if (err) goto err;
+ err = gcry_cipher_setctr(*enc_c, ctr, 16);
+ if (err) goto err;
+
+ err = gcry_cipher_open(enc_cp, GCRY_CIPHER_AES,
+ GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE);
+ if (err) goto err;
+ err = gcry_cipher_setkey(*enc_cp, hashdata+16, 16);
+ if (err) goto err;
+ err = gcry_cipher_setctr(*enc_cp, ctr, 16);
+ if (err) goto err;
+
+ /* Calculate the MAC keys */
+ sdata[0] = 0x02;
+ gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5);
+ err = gcry_md_open(mac_m1, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
+ if (err) goto err;
+ err = gcry_md_setkey(*mac_m1, hashdata, 32);
+ if (err) goto err;
+
+ sdata[0] = 0x03;
+ gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5);
+ err = gcry_md_open(mac_m2, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
+ if (err) goto err;
+ err = gcry_md_setkey(*mac_m2, hashdata, 32);
+ if (err) goto err;
+
+ sdata[0] = 0x04;
+ gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5);
+ err = gcry_md_open(mac_m1p, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
+ if (err) goto err;
+ err = gcry_md_setkey(*mac_m1p, hashdata, 32);
+ if (err) goto err;
+
+ sdata[0] = 0x05;
+ gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5);
+ err = gcry_md_open(mac_m2p, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
+ if (err) goto err;
+ err = gcry_md_setkey(*mac_m2p, hashdata, 32);
+ if (err) goto err;
+
+ gcry_free(sdata);
+ gcry_free(hashdata);
+ return gcry_error(GPG_ERR_NO_ERROR);
+
+err:
+ gcry_cipher_close(*enc_c);
+ gcry_cipher_close(*enc_cp);
+ gcry_md_close(*mac_m1);
+ gcry_md_close(*mac_m1p);
+ gcry_md_close(*mac_m2);
+ gcry_md_close(*mac_m2p);
+ *enc_c = NULL;
+ *enc_cp = NULL;
+ *mac_m1 = NULL;
+ *mac_m1p = NULL;
+ *mac_m2 = NULL;
+ *mac_m2p = NULL;
+ gcry_free(sdata);
+ gcry_free(hashdata);
+ return err;
+}
+
+/*
+ * Compute the secure session id, given our DH key and their DH public
+ * key.
+ */
+gcry_error_t otrl_dh_compute_v1_session_id(const DH_keypair *our_dh,
+ gcry_mpi_t their_pub, unsigned char *sessionid, size_t *sessionidlenp,
+ OtrlSessionIdHalf *halfp)
+{
+ gcry_mpi_t s;
+ size_t slen;
+ unsigned char *sdata;
+ unsigned char *hashdata;
+
+ if (our_dh->groupid != DH1536_GROUP_ID) {
+ /* Invalid group id */
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Check that their_pub is in range */
+ if (gcry_mpi_cmp_ui(their_pub, 2) < 0 ||
+ gcry_mpi_cmp(their_pub, DH1536_MODULUS_MINUS_2) > 0) {
+ /* Invalid pubkey */
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Calculate the shared secret MPI */
+ s = gcry_mpi_new(DH1536_MOD_LEN_BITS);
+ gcry_mpi_powm(s, their_pub, our_dh->priv, DH1536_MODULUS);
+
+ /* Output it in the right format */
+ gcry_mpi_print(GCRYMPI_FMT_USG, NULL, 0, &slen, s);
+ sdata = gcry_malloc_secure(slen + 5);
+ if (!sdata) {
+ gcry_mpi_release(s);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ sdata[1] = (slen >> 24) & 0xff;
+ sdata[2] = (slen >> 16) & 0xff;
+ sdata[3] = (slen >> 8) & 0xff;
+ sdata[4] = slen & 0xff;
+ gcry_mpi_print(GCRYMPI_FMT_USG, sdata+5, slen, NULL, s);
+ gcry_mpi_release(s);
+
+ /* Calculate the session id */
+ hashdata = gcry_malloc_secure(20);
+ if (!hashdata) {
+ gcry_free(sdata);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ sdata[0] = 0x00;
+ gcry_md_hash_buffer(GCRY_MD_SHA1, hashdata, sdata, slen+5);
+ memcpy(sessionid, hashdata, 20);
+ *sessionidlenp = 20;
+
+ /* Which half should be bold? */
+ if (gcry_mpi_cmp(our_dh->pub, their_pub) > 0) {
+ *halfp = OTRL_SESSIONID_SECOND_HALF_BOLD;
+ } else {
+ *halfp = OTRL_SESSIONID_FIRST_HALF_BOLD;
+ }
+
+ gcry_free(hashdata);
+ gcry_free(sdata);
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/*
+ * Deallocate the contents of a DH_sesskeys (but not the DH_sesskeys
+ * itself)
+ */
+void otrl_dh_session_free(DH_sesskeys *sess)
+{
+ gcry_cipher_close(sess->sendenc);
+ gcry_cipher_close(sess->rcvenc);
+ gcry_md_close(sess->sendmac);
+ gcry_md_close(sess->rcvmac);
+
+ otrl_dh_session_blank(sess);
+}
+
+/*
+ * Blank out the contents of a DH_sesskeys (without releasing it)
+ */
+void otrl_dh_session_blank(DH_sesskeys *sess)
+{
+ sess->sendenc = NULL;
+ sess->sendmac = NULL;
+ sess->rcvenc = NULL;
+ sess->rcvmac = NULL;
+ memset(sess->sendctr, 0, 16);
+ memset(sess->rcvctr, 0, 16);
+ memset(sess->sendmackey, 0, 20);
+ memset(sess->rcvmackey, 0, 20);
+ sess->sendmacused = 0;
+ sess->rcvmacused = 0;
+}
+
+/* Increment the top half of a counter block */
+void otrl_dh_incctr(unsigned char *ctr)
+{
+ int i;
+ for (i=8;i;--i) {
+ if (++ctr[i-1]) break;
+ }
+}
+
+/* Compare two counter values (8 bytes each). Return 0 if ctr1 == ctr2,
+ * < 0 if ctr1 < ctr2 (as unsigned 64-bit values), > 0 if ctr1 > ctr2. */
+int otrl_dh_cmpctr(const unsigned char *ctr1, const unsigned char *ctr2)
+{
+ int i;
+ for (i=0;i<8;++i) {
+ int c = ctr1[i] - ctr2[i];
+ if (c) return c;
+ }
+ return 0;
+}
diff --git a/plugins/MirOTR/libotr/src/dh.h b/plugins/MirOTR/libotr/src/dh.h
new file mode 100644
index 0000000000..d68328f528
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/dh.h
@@ -0,0 +1,119 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __DH_H__
+#define __DH_H__
+
+#define DH1536_GROUP_ID 5
+
+typedef struct {
+ unsigned int groupid;
+ gcry_mpi_t priv, pub;
+} DH_keypair;
+
+/* Which half of the secure session id should be shown in bold? */
+typedef enum {
+ OTRL_SESSIONID_FIRST_HALF_BOLD,
+ OTRL_SESSIONID_SECOND_HALF_BOLD
+} OtrlSessionIdHalf;
+
+typedef struct {
+ unsigned char sendctr[16];
+ unsigned char rcvctr[16];
+ gcry_cipher_hd_t sendenc;
+ gcry_cipher_hd_t rcvenc;
+ gcry_md_hd_t sendmac;
+ unsigned char sendmackey[20];
+ int sendmacused;
+ gcry_md_hd_t rcvmac;
+ unsigned char rcvmackey[20];
+ int rcvmacused;
+} DH_sesskeys;
+
+/*
+ * Call this once, at plugin load time. It sets up the modulus and
+ * generator MPIs.
+ */
+void otrl_dh_init(void);
+
+/*
+ * Initialize the fields of a DH keypair.
+ */
+void otrl_dh_keypair_init(DH_keypair *kp);
+
+/*
+ * Copy a DH_keypair.
+ */
+void otrl_dh_keypair_copy(DH_keypair *dst, const DH_keypair *src);
+
+/*
+ * Deallocate the contents of a DH_keypair (but not the DH_keypair
+ * itself)
+ */
+void otrl_dh_keypair_free(DH_keypair *kp);
+
+/*
+ * Generate a DH keypair for a specified group.
+ */
+gcry_error_t otrl_dh_gen_keypair(unsigned int groupid, DH_keypair *kp);
+
+/*
+ * Construct session keys from a DH keypair and someone else's public
+ * key.
+ */
+gcry_error_t otrl_dh_session(DH_sesskeys *sess, const DH_keypair *kp,
+ gcry_mpi_t y);
+
+/*
+ * Compute the secure session id, two encryption keys, and four MAC keys
+ * given our DH key and their DH public key.
+ */
+gcry_error_t otrl_dh_compute_v2_auth_keys(const DH_keypair *our_dh,
+ gcry_mpi_t their_pub, unsigned char *sessionid, size_t *sessionidlenp,
+ gcry_cipher_hd_t *enc_c, gcry_cipher_hd_t *enc_cp,
+ gcry_md_hd_t *mac_m1, gcry_md_hd_t *mac_m1p,
+ gcry_md_hd_t *mac_m2, gcry_md_hd_t *mac_m2p);
+
+/*
+ * Compute the secure session id, given our DH key and their DH public
+ * key.
+ */
+gcry_error_t otrl_dh_compute_v1_session_id(const DH_keypair *our_dh,
+ gcry_mpi_t their_pub, unsigned char *sessionid, size_t *sessionidlenp,
+ OtrlSessionIdHalf *halfp);
+
+/*
+ * Deallocate the contents of a DH_sesskeys (but not the DH_sesskeys
+ * itself)
+ */
+void otrl_dh_session_free(DH_sesskeys *sess);
+
+/*
+ * Blank out the contents of a DH_sesskeys (without releasing it)
+ */
+void otrl_dh_session_blank(DH_sesskeys *sess);
+
+/* Increment the top half of a counter block */
+void otrl_dh_incctr(unsigned char *ctr);
+
+/* Compare two counter values (8 bytes each). Return 0 if ctr1 == ctr2,
+ * < 0 if ctr1 < ctr2 (as unsigned 64-bit values), > 0 if ctr1 > ctr2. */
+int otrl_dh_cmpctr(const unsigned char *ctr1, const unsigned char *ctr2);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/mem.c b/plugins/MirOTR/libotr/src/mem.c
new file mode 100644
index 0000000000..fe32baadc4
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/mem.c
@@ -0,0 +1,163 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* Memory allocation routines for libgcrypt. All of the session key
+ * information gets allocated through here, so we can wipe it out when
+ * it's free()d. We don't use the built-in secmem functions of
+ * libgcrypt because you need to declare a fixed amount of it when you
+ * start up.
+ *
+ * Because "secure" and "insecure" allocations from libgcrypt will get
+ * handled the same way (since we're not going to be running as root,
+ * and so won't actually have pinned memory), pretend all allocated
+ * memory (but just from libgcrypt) is requested secure, and wipe it on
+ * free(). */
+
+/* Uncomment the following to add a check that our free() and realloc() only
+ * get called on things returned from our malloc(). */
+/* #define OTRL_MEM_MAGIC 0x31415926 */
+
+/* system headers */
+#ifdef OTRL_MEM_MAGIC
+#include <stdio.h>
+#endif
+#include <stdlib.h>
+
+/* libgcrypt headers */
+#include <gcrypt.h>
+
+/* libotr headers */
+#include "mem.h"
+
+static int header_size;
+
+static void *otrl_mem_malloc(size_t n)
+{
+ void *p;
+ size_t new_n = n;
+ new_n += header_size;
+
+ /* Check for overflow attack */
+ if (new_n < n) return NULL;
+ p = malloc(new_n);
+ if (p == NULL) return NULL;
+
+ ((size_t *)p)[0] = new_n; /* Includes header size */
+#ifdef OTRL_MEM_MAGIC
+ ((size_t *)p)[1] = OTRL_MEM_MAGIC;
+#endif
+
+ return (void *)((char *)p + header_size);
+}
+
+static int otrl_mem_is_secure(const void *p)
+{
+ return 1;
+}
+
+static void otrl_mem_free(void *p)
+{
+ void *real_p = (void *)((char *)p - header_size);
+ size_t n = ((size_t *)real_p)[0];
+#ifdef OTRL_MEM_MAGIC
+ if (((size_t *)real_p)[1] != OTRL_MEM_MAGIC) {
+ fprintf(stderr, "Illegal free!\n");
+ return;
+ }
+#endif
+
+ /* Wipe the memory (in the same way the built-in deallocator in
+ * libgcrypt would) */
+ memset(real_p, 0xff, n);
+ memset(real_p, 0xaa, n);
+ memset(real_p, 0x55, n);
+ memset(real_p, 0x00, n);
+
+ free(real_p);
+}
+
+static void *otrl_mem_realloc(void *p, size_t n)
+{
+ if (p == NULL) {
+ return otrl_mem_malloc(n);
+ } else if (n == 0) {
+ otrl_mem_free(p);
+ return NULL;
+ } else {
+ void *real_p = (void *)((char *)p - header_size);
+ void *new_p;
+ size_t old_n = ((size_t *)real_p)[0];
+#ifdef OTRL_MEM_MAGIC
+ size_t magic = ((size_t *)real_p)[1];
+#endif
+ size_t new_n = n;
+ new_n += header_size;
+
+ /* Check for overflow attack */
+ if (new_n < n) return NULL;
+
+#ifdef OTRL_MEM_MAGIC
+ if (magic != OTRL_MEM_MAGIC) {
+ fprintf(stderr, "Illegal realloc!\n");
+ return NULL;
+ }
+#endif
+
+ if (new_n < old_n) {
+ /* Overwrite the space we're about to stop using */
+ void *p = (void *)((char *)real_p + new_n);
+ size_t excess = old_n - new_n;
+ memset(p, 0xff, excess);
+ memset(p, 0xaa, excess);
+ memset(p, 0x55, excess);
+ memset(p, 0x00, excess);
+
+ /* We don't actually need to realloc() */
+ new_p = real_p;
+ } else {
+ new_p = realloc(real_p, new_n);
+ if (new_p == NULL) return NULL;
+ }
+
+ ((size_t *)new_p)[0] = new_n; /* Includes header size */
+ return (void *)((char *)new_p + header_size);
+ }
+}
+
+void otrl_mem_init(void)
+{
+ header_size = 8;
+#ifdef OTRL_MEM_MAGIC
+ if (header_size < 2*sizeof(size_t)) {
+ header_size = 2*sizeof(size_t);
+ }
+#else
+ if (header_size < sizeof(size_t)) {
+ header_size = sizeof(size_t);
+ }
+#endif
+
+ gcry_set_allocation_handler(
+ otrl_mem_malloc,
+ otrl_mem_malloc,
+ otrl_mem_is_secure,
+ otrl_mem_realloc,
+ otrl_mem_free
+ );
+}
diff --git a/plugins/MirOTR/libotr/src/mem.h b/plugins/MirOTR/libotr/src/mem.h
new file mode 100644
index 0000000000..19e00cf5aa
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/mem.h
@@ -0,0 +1,25 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __MEM_H__
+#define __MEM_H__
+
+void otrl_mem_init(void);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/message.c b/plugins/MirOTR/libotr/src/message.c
new file mode 100644
index 0000000000..b385c1f4f1
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/message.c
@@ -0,0 +1,1446 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* system headers */
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+
+/* libgcrypt headers */
+#include <gcrypt.h>
+
+/* libotr headers */
+#include "privkey.h"
+#include "proto.h"
+#include "auth.h"
+#include "message.h"
+#include "sm.h"
+
+/* The API version */
+extern unsigned int otrl_api_version;
+
+/* How long after sending a packet should we wait to send a heartbeat? */
+#define HEARTBEAT_INTERVAL 60
+
+/* How old are messages allowed to be in order to be candidates for
+ * resending in response to a rekey? */
+#define RESEND_INTERVAL 60
+
+/* Deallocate a message allocated by other otrl_message_* routines. */
+void otrl_message_free(char *message)
+{
+ free(message);
+}
+
+/* Handle a message about to be sent to the network. It is safe to pass
+ * all messages about to be sent to this routine. add_appdata is a
+ * function that will be called in the event that a new ConnContext is
+ * created. It will be passed the data that you supplied, as well as a
+ * pointer to the new ConnContext. You can use this to add
+ * application-specific information to the ConnContext using the
+ * "context->app" field, for example. If you don't need to do this, you
+ * can pass NULL for the last two arguments of otrl_message_sending.
+ *
+ * tlvs is a chain of OtrlTLVs to append to the private message. It is
+ * usually correct to just pass NULL here.
+ *
+ * If this routine returns non-zero, then the library tried to encrypt
+ * the message, but for some reason failed. DO NOT send the message in
+ * the clear in that case.
+ *
+ * If *messagep gets set by the call to something non-NULL, then you
+ * should replace your message with the contents of *messagep, and
+ * send that instead. Call otrl_message_free(*messagep) when you're
+ * done with it. */
+gcry_error_t otrl_message_sending(OtrlUserState us,
+ const OtrlMessageAppOps *ops,
+ void *opdata, const char *accountname, const char *protocol,
+ const char *recipient, const char *message, OtrlTLV *tlvs,
+ char **messagep,
+ void (*add_appdata)(void *data, ConnContext *context),
+ void *data)
+{
+ struct context * context;
+ char * msgtosend;
+ gcry_error_t err;
+ OtrlPolicy policy = OTRL_POLICY_DEFAULT;
+ int context_added = 0;
+
+ *messagep = NULL;
+
+ if (!accountname || !protocol || !recipient || !message || !messagep)
+ return gcry_error(GPG_ERR_NO_ERROR);
+
+ /* See if we have a fingerprint for this user */
+ context = otrl_context_find(us, recipient, accountname, protocol,
+ 1, &context_added, add_appdata, data);
+
+ /* Update the context list if we added one */
+ if (context_added && ops->update_context_list) {
+ ops->update_context_list(opdata);
+ }
+
+ /* Check the policy */
+ if (ops->policy) {
+ policy = ops->policy(opdata, context);
+ }
+
+ /* Should we go on at all? */
+ if ((policy & OTRL_POLICY_VERSION_MASK) == 0) {
+ return gcry_error(GPG_ERR_NO_ERROR);
+ }
+
+ /* If this is an OTR Query message, don't encrypt it. */
+ if (otrl_proto_message_type(message) == OTRL_MSGTYPE_QUERY) {
+ /* Replace the "?OTR?" with a custom message */
+ char *bettermsg = otrl_proto_default_query_msg(accountname, policy);
+ if (bettermsg) {
+ *messagep = bettermsg;
+ }
+ return gcry_error(GPG_ERR_NO_ERROR);
+ }
+
+ /* What is the current message disposition? */
+ switch(context->msgstate) {
+ case OTRL_MSGSTATE_PLAINTEXT:
+ if ((policy & OTRL_POLICY_REQUIRE_ENCRYPTION)) {
+ /* We're trying to send an unencrypted message with a policy
+ * that disallows that. Don't do that, but try to start
+ * up OTR instead. */
+ if ((!(ops->display_otr_message) ||
+ ops->display_otr_message(opdata, accountname,
+ protocol, recipient, "Attempting to start a "
+ "private conversation...")) && ops->notify) {
+ const char *format = "You attempted to send an "
+ "unencrypted message to %s";
+ char *primary = malloc(strlen(format) +
+ strlen(recipient) - 1);
+ if (primary) {
+ sprintf(primary, format, recipient);
+ ops->notify(opdata, OTRL_NOTIFY_WARNING, accountname,
+ protocol, recipient, "OTR Policy Violation",
+ primary,
+ "Unencrypted messages to this recipient are "
+ "not allowed. Attempting to start a private "
+ "conversation.\n\nYour message will be "
+ "retransmitted when the private conversation "
+ "starts.");
+ free(primary);
+ }
+ }
+ context->lastmessage = gcry_malloc_secure(strlen(message) + 1);
+ if (context->lastmessage) {
+ char *bettermsg = otrl_proto_default_query_msg(accountname,
+ policy);
+ strcpy(context->lastmessage, message);
+ context->lastsent = time(NULL);
+ context->may_retransmit = 2;
+ if (bettermsg) {
+ *messagep = bettermsg;
+ } else {
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ }
+ } else {
+ if ((policy & OTRL_POLICY_SEND_WHITESPACE_TAG) &&
+ context->otr_offer != OFFER_REJECTED) {
+ /* See if this user can speak OTR. Append the
+ * OTR_MESSAGE_TAG to the plaintext message, and see
+ * if he responds. */
+ size_t msglen = strlen(message);
+ size_t basetaglen = strlen(OTRL_MESSAGE_TAG_BASE);
+ size_t v1taglen = (policy & OTRL_POLICY_ALLOW_V1) ?
+ strlen(OTRL_MESSAGE_TAG_V1) : 0;
+ size_t v2taglen = (policy & OTRL_POLICY_ALLOW_V2) ?
+ strlen(OTRL_MESSAGE_TAG_V2) : 0;
+ char *taggedmsg = malloc(msglen + basetaglen + v1taglen
+ +v2taglen + 1);
+ if (taggedmsg) {
+ strcpy(taggedmsg, message);
+ strcpy(taggedmsg + msglen, OTRL_MESSAGE_TAG_BASE);
+ if (v1taglen) {
+ strcpy(taggedmsg + msglen + basetaglen,
+ OTRL_MESSAGE_TAG_V1);
+ }
+ if (v2taglen) {
+ strcpy(taggedmsg + msglen + basetaglen + v1taglen,
+ OTRL_MESSAGE_TAG_V2);
+ }
+ *messagep = taggedmsg;
+ if (context) {
+ context->otr_offer = OFFER_SENT;
+ }
+ }
+ }
+ }
+ break;
+ case OTRL_MSGSTATE_ENCRYPTED:
+ /* Create the new, encrypted message */
+ err = otrl_proto_create_data(&msgtosend, context, message, tlvs,
+ 0);
+ if (!err) {
+ context->lastsent = time(NULL);
+ *messagep = msgtosend;
+ } else {
+ /* Uh, oh. Whatever we do, *don't* send the message in the
+ * clear. */
+ *messagep = _strdup("?OTR Error: Error occurred encrypting "
+ "message");
+ if ((!(ops->display_otr_message) ||
+ ops->display_otr_message(opdata, accountname,
+ protocol, recipient, "An error occurred when "
+ "encrypting your message. The message was not "
+ "sent.")) && ops->notify) {
+ ops->notify(opdata, OTRL_NOTIFY_ERROR,
+ accountname, protocol, recipient,
+ "Error encrypting message",
+ "An error occurred when encrypting your message",
+ "The message was not sent.");
+ }
+ if (!(*messagep)) {
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ }
+ break;
+ case OTRL_MSGSTATE_FINISHED:
+ *messagep = _strdup("");
+ if ((!(ops->display_otr_message) ||
+ ops->display_otr_message(opdata, accountname,
+ protocol, recipient, "Your message was not sent. "
+ "Either end your private conversation, or restart "
+ "it.")) && ops->notify) {
+ const char *fmt = "%s has already closed his/her private "
+ "connection to you";
+ char *primary = malloc(strlen(fmt) + strlen(recipient) - 1);
+ if (primary) {
+ sprintf(primary, fmt, recipient);
+ ops->notify(opdata, OTRL_NOTIFY_ERROR,
+ accountname, protocol, recipient,
+ "Private connection closed", primary,
+ "Your message was not sent. Either close your "
+ "private connection to him, or refresh it.");
+ }
+ }
+ if (!(*messagep)) {
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ break;
+ }
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* If err == 0, send the last auth message for the given context to the
+ * appropriate user. Otherwise, display an appripriate error dialog.
+ * Return the value of err that was passed. */
+static gcry_error_t send_or_error_auth(const OtrlMessageAppOps *ops,
+ void *opdata, gcry_error_t err, ConnContext *context)
+{
+ if (!err) {
+ const char *msg = context->auth.lastauthmsg;
+ if (msg && *msg) {
+ otrl_message_fragment_and_send(ops, opdata, context, msg, OTRL_FRAGMENT_SEND_ALL, NULL);
+ /*if (ops->inject_message) {
+ ops->inject_message(opdata, context->accountname,
+ context->protocol, context->username, msg);
+ }*/
+ }
+ } else {
+ const char *buf_format = "Error setting up private conversation: %s";
+ const char *strerr;
+ char *buf;
+
+ switch(gcry_err_code(err)) {
+ case GPG_ERR_INV_VALUE:
+ strerr = "Malformed message received";
+ break;
+ default:
+ strerr = gcry_strerror(err);
+ break;
+ }
+ buf = malloc(strlen(buf_format) + strlen(strerr) - 1);
+ if (buf) {
+ sprintf(buf, buf_format, strerr);
+ }
+ if ((!(ops->display_otr_message) ||
+ ops->display_otr_message(opdata, context->accountname,
+ context->protocol, context->username, buf))
+ && ops->notify) {
+ ops->notify(opdata, OTRL_NOTIFY_ERROR, context->accountname,
+ context->protocol, context->username, "OTR error",
+ buf, NULL);
+ }
+ free(buf);
+ }
+ return err;
+}
+
+typedef struct {
+ int gone_encrypted;
+ OtrlUserState us;
+ const OtrlMessageAppOps *ops;
+ void *opdata;
+ ConnContext *context;
+ int ignore_message;
+ char **messagep;
+} EncrData;
+
+static gcry_error_t go_encrypted(const OtrlAuthInfo *auth, void *asdata)
+{
+ EncrData *edata = asdata;
+ gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR);
+ Fingerprint *found_print = NULL;
+ int fprint_added = 0;
+ OtrlMessageState oldstate = edata->context->msgstate;
+ Fingerprint *oldprint = edata->context->active_fingerprint;
+
+ /* See if we're talking to ourselves */
+ if (!gcry_mpi_cmp(auth->their_pub, auth->our_dh.pub)) {
+ /* Yes, we are. */
+ if ((!(edata->ops->display_otr_message) ||
+ edata->ops->display_otr_message(edata->opdata,
+ edata->context->accountname, edata->context->protocol,
+ edata->context->username,
+ "We are receiving our own OTR messages. "
+ "You are either trying to talk to yourself, "
+ "or someone is reflecting your messages back "
+ "at you.")) && edata->ops->notify) {
+ edata->ops->notify(edata->opdata, OTRL_NOTIFY_ERROR,
+ edata->context->accountname, edata->context->protocol,
+ edata->context->username, "OTR Error",
+ "We are receiving our own OTR messages.",
+ "You are either trying to talk to yourself, "
+ "or someone is reflecting your messages back "
+ "at you.");
+ }
+ edata->ignore_message = 1;
+ return gcry_error(GPG_ERR_NO_ERROR);
+ }
+
+ found_print = otrl_context_find_fingerprint(edata->context,
+ edata->context->auth.their_fingerprint, 1, &fprint_added);
+
+ if (fprint_added) {
+ /* Inform the user of the new fingerprint */
+ if (edata->ops->new_fingerprint) {
+ edata->ops->new_fingerprint(edata->opdata, edata->us,
+ edata->context->accountname, edata->context->protocol,
+ edata->context->username,
+ edata->context->auth.their_fingerprint);
+ }
+ /* Arrange that the new fingerprint be written to disk */
+ if (edata->ops->write_fingerprints) {
+ edata->ops->write_fingerprints(edata->opdata);
+ }
+ }
+
+ /* Is this a new session or just a refresh of an existing one? */
+ if (edata->context->msgstate == OTRL_MSGSTATE_ENCRYPTED &&
+ oldprint == found_print &&
+ edata->context->our_keyid - 1 == edata->context->auth.our_keyid &&
+ !gcry_mpi_cmp(edata->context->our_old_dh_key.pub,
+ edata->context->auth.our_dh.pub) &&
+ ((edata->context->their_keyid > 0 &&
+ edata->context->their_keyid ==
+ edata->context->auth.their_keyid &&
+ !gcry_mpi_cmp(edata->context->their_y,
+ edata->context->auth.their_pub)) ||
+ (edata->context->their_keyid > 1 &&
+ edata->context->their_keyid - 1 ==
+ edata->context->auth.their_keyid &&
+ edata->context->their_old_y != NULL &&
+ !gcry_mpi_cmp(edata->context->their_old_y,
+ edata->context->auth.their_pub)))) {
+ /* This is just a refresh of the existing session. */
+ if (edata->ops->still_secure) {
+ edata->ops->still_secure(edata->opdata, edata->context,
+ edata->context->auth.initiated);
+ }
+ edata->ignore_message = 1;
+ return gcry_error(GPG_ERR_NO_ERROR);
+ }
+
+ /* Copy the information from the auth into the context */
+ memmove(edata->context->sessionid,
+ edata->context->auth.secure_session_id, 20);
+ edata->context->sessionid_len =
+ edata->context->auth.secure_session_id_len;
+ edata->context->sessionid_half =
+ edata->context->auth.session_id_half;
+ edata->context->protocol_version =
+ edata->context->auth.protocol_version;
+
+ edata->context->their_keyid = edata->context->auth.their_keyid;
+ gcry_mpi_release(edata->context->their_y);
+ gcry_mpi_release(edata->context->their_old_y);
+ edata->context->their_y = gcry_mpi_copy(edata->context->auth.their_pub);
+ edata->context->their_old_y = NULL;
+
+ if (edata->context->our_keyid - 1 != edata->context->auth.our_keyid ||
+ gcry_mpi_cmp(edata->context->our_old_dh_key.pub,
+ edata->context->auth.our_dh.pub)) {
+ otrl_dh_keypair_free(&(edata->context->our_dh_key));
+ otrl_dh_keypair_free(&(edata->context->our_old_dh_key));
+ otrl_dh_keypair_copy(&(edata->context->our_old_dh_key),
+ &(edata->context->auth.our_dh));
+ otrl_dh_gen_keypair(edata->context->our_old_dh_key.groupid,
+ &(edata->context->our_dh_key));
+ edata->context->our_keyid = edata->context->auth.our_keyid + 1;
+ }
+
+ /* Create the session keys from the DH keys */
+ otrl_dh_session_free(&(edata->context->sesskeys[0][0]));
+ err = otrl_dh_session(&(edata->context->sesskeys[0][0]),
+ &(edata->context->our_dh_key), edata->context->their_y);
+ if (err) return err;
+ otrl_dh_session_free(&(edata->context->sesskeys[1][0]));
+ err = otrl_dh_session(&(edata->context->sesskeys[1][0]),
+ &(edata->context->our_old_dh_key), edata->context->their_y);
+ if (err) return err;
+
+ edata->context->generation++;
+ edata->context->active_fingerprint = found_print;
+ edata->context->msgstate = OTRL_MSGSTATE_ENCRYPTED;
+
+ if (edata->ops->update_context_list) {
+ edata->ops->update_context_list(edata->opdata);
+ }
+ if (oldstate == OTRL_MSGSTATE_ENCRYPTED && oldprint == found_print) {
+ if (edata->ops->still_secure) {
+ edata->ops->still_secure(edata->opdata, edata->context,
+ edata->context->auth.initiated);
+ }
+ } else {
+ if (edata->ops->gone_secure) {
+ edata->ops->gone_secure(edata->opdata, edata->context);
+ }
+ }
+
+ edata->gone_encrypted = 1;
+
+ return gpg_error(GPG_ERR_NO_ERROR);
+}
+
+static void maybe_resend(EncrData *edata)
+{
+ gcry_error_t err;
+ time_t now;
+
+ if (!edata->gone_encrypted) return;
+
+ /* See if there's a message we sent recently that should be resent. */
+ now = time(NULL);
+ if (edata->context->lastmessage != NULL &&
+ edata->context->may_retransmit &&
+ edata->context->lastsent >= (now - RESEND_INTERVAL)) {
+ char *resendmsg;
+ int resending = (edata->context->may_retransmit == 1);
+
+ /* Re-encrypt the message with the new keys */
+ err = otrl_proto_create_data(&resendmsg,
+ edata->context, edata->context->lastmessage, NULL, 0);
+ if (!err) {
+ const char *format = "<b>The last message "
+ "to %s was resent.</b>";
+ char *buf;
+
+ /* Resend the message */
+ otrl_message_fragment_and_send(edata->ops, edata->opdata, edata->context, resendmsg, OTRL_FRAGMENT_SEND_ALL, NULL);
+ free(resendmsg);
+ edata->context->lastsent = now;
+
+ if (!resending) {
+ /* We're actually just sending it
+ * for the first time. */
+ edata->ignore_message = 1;
+ } else {
+ /* Let the user know we resent it */
+ buf = malloc(strlen(format) +
+ strlen(edata->context->username) - 1);
+ if (buf) {
+ sprintf(buf, format, edata->context->username);
+ if (edata->ops->display_otr_message) {
+ if (!edata->ops->display_otr_message(
+ edata->opdata, edata->context->accountname,
+ edata->context->protocol,
+ edata->context->username, buf)) {
+ edata->ignore_message = 1;
+ }
+ }
+ if (edata->ignore_message != 1) {
+ *(edata->messagep) = buf;
+ edata->ignore_message = 0;
+ } else {
+ free(buf);
+ }
+ }
+ }
+ }
+ }
+}
+
+/* Set the trust level based on the result of the SMP */
+static void set_smp_trust(const OtrlMessageAppOps *ops, void *opdata,
+ ConnContext *context, int trusted)
+{
+ otrl_context_set_trust(context->active_fingerprint, trusted ? "smp" : "");
+
+ /* Write the new info to disk, redraw the ui, and redraw the
+ * OTR buttons. */
+ if (ops->write_fingerprints) {
+ ops->write_fingerprints(opdata);
+ }
+}
+
+static void init_respond_smp(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, ConnContext *context, const char *question,
+ const unsigned char *secret, size_t secretlen, int initiating)
+{
+ unsigned char *smpmsg = NULL;
+ int smpmsglen;
+ unsigned char combined_secret[SM_DIGEST_SIZE];
+ gcry_error_t err;
+ unsigned char our_fp[20];
+ unsigned char *combined_buf;
+ size_t combined_buf_len;
+ OtrlTLV *sendtlv;
+ char *sendsmp = NULL;
+
+ if (!context || context->msgstate != OTRL_MSGSTATE_ENCRYPTED) return;
+
+ /*
+ * Construct the combined secret as a SHA256 hash of:
+ * Version byte (0x01), Initiator fingerprint (20 bytes),
+ * responder fingerprint (20 bytes), secure session id, input secret
+ */
+ otrl_privkey_fingerprint_raw(us, our_fp, context->accountname,
+ context->protocol);
+
+ combined_buf_len = 41 + context->sessionid_len + secretlen;
+ combined_buf = malloc(combined_buf_len);
+ combined_buf[0] = 0x01;
+ if (initiating) {
+ memmove(combined_buf + 1, our_fp, 20);
+ memmove(combined_buf + 21,
+ context->active_fingerprint->fingerprint, 20);
+ } else {
+ memmove(combined_buf + 1,
+ context->active_fingerprint->fingerprint, 20);
+ memmove(combined_buf + 21, our_fp, 20);
+ }
+ memmove(combined_buf + 41, context->sessionid,
+ context->sessionid_len);
+ memmove(combined_buf + 41 + context->sessionid_len,
+ secret, secretlen);
+ gcry_md_hash_buffer(SM_HASH_ALGORITHM, combined_secret, combined_buf,
+ combined_buf_len);
+ free(combined_buf);
+
+ if (initiating) {
+ otrl_sm_step1(context->smstate, combined_secret, SM_DIGEST_SIZE,
+ &smpmsg, &smpmsglen);
+ } else {
+ otrl_sm_step2b(context->smstate, combined_secret, SM_DIGEST_SIZE,
+ &smpmsg, &smpmsglen);
+ }
+
+ /* If we've got a question, attach it to the smpmsg */
+ if (question != NULL) {
+ size_t qlen = strlen(question);
+ unsigned char *qsmpmsg = malloc(qlen + 1 + smpmsglen);
+ if (!qsmpmsg) {
+ free(smpmsg);
+ return;
+ }
+ strcpy((char *)qsmpmsg, question);
+ memmove(qsmpmsg + qlen + 1, smpmsg, smpmsglen);
+ free(smpmsg);
+ smpmsg = qsmpmsg;
+ smpmsglen += qlen + 1;
+ }
+
+ /* Send msg with next smp msg content */
+ sendtlv = otrl_tlv_new(initiating ?
+ (question != NULL ? OTRL_TLV_SMP1Q : OTRL_TLV_SMP1)
+ : OTRL_TLV_SMP2,
+ smpmsglen, smpmsg);
+ err = otrl_proto_create_data(&sendsmp, context, "", sendtlv,
+ OTRL_MSGFLAGS_IGNORE_UNREADABLE);
+ if (!err) {
+ /* Send it, and set the next expected message to the
+ * logical response */
+ err = otrl_message_fragment_and_send(ops, opdata, context,
+ sendsmp, OTRL_FRAGMENT_SEND_ALL, NULL);
+ context->smstate->nextExpected =
+ initiating ? OTRL_SMP_EXPECT2 : OTRL_SMP_EXPECT3;
+ }
+ free(sendsmp);
+ otrl_tlv_free(sendtlv);
+ free(smpmsg);
+}
+
+/* Initiate the Socialist Millionaires' Protocol */
+void otrl_message_initiate_smp(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, ConnContext *context, const unsigned char *secret,
+ size_t secretlen)
+{
+ init_respond_smp(us, ops, opdata, context, NULL, secret, secretlen, 1);
+}
+
+/* Initiate the Socialist Millionaires' Protocol and send a prompt
+ * question to the buddy */
+void otrl_message_initiate_smp_q(OtrlUserState us,
+ const OtrlMessageAppOps *ops, void *opdata, ConnContext *context,
+ const char *question, const unsigned char *secret, size_t secretlen)
+{
+ init_respond_smp(us, ops, opdata, context, question, secret, secretlen, 1);
+}
+
+/* Respond to a buddy initiating the Socialist Millionaires' Protocol */
+void otrl_message_respond_smp(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, ConnContext *context, const unsigned char *secret,
+ size_t secretlen)
+{
+ init_respond_smp(us, ops, opdata, context, NULL, secret, secretlen, 0);
+}
+
+/* Abort the SMP. Called when an unexpected SMP message breaks the
+ * normal flow. */
+void otrl_message_abort_smp(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, ConnContext *context)
+{
+ OtrlTLV *sendtlv = otrl_tlv_new(OTRL_TLV_SMP_ABORT, 0,
+ (const unsigned char *)"");
+ char *sendsmp = NULL;
+ gcry_error_t err;
+
+ context->smstate->nextExpected = OTRL_SMP_EXPECT1;
+
+ err = otrl_proto_create_data(&sendsmp,
+ context, "", sendtlv,
+ OTRL_MSGFLAGS_IGNORE_UNREADABLE);
+ if (!err) {
+ /* Send the abort signal so our buddy knows we've stopped */
+ err = otrl_message_fragment_and_send(ops, opdata, context,
+ sendsmp, OTRL_FRAGMENT_SEND_ALL, NULL);
+ }
+ free(sendsmp);
+ otrl_tlv_free(sendtlv);
+}
+
+/* Handle a message just received from the network. It is safe to pass
+ * all received messages to this routine. add_appdata is a function
+ * that will be called in the event that a new ConnContext is created.
+ * It will be passed the data that you supplied, as well as
+ * a pointer to the new ConnContext. You can use this to add
+ * application-specific information to the ConnContext using the
+ * "context->app" field, for example. If you don't need to do this, you
+ * can pass NULL for the last two arguments of otrl_message_receiving.
+ *
+ * If otrl_message_receiving returns 1, then the message you received
+ * was an internal protocol message, and no message should be delivered
+ * to the user.
+ *
+ * If it returns 0, then check if *messagep was set to non-NULL. If
+ * so, replace the received message with the contents of *messagep, and
+ * deliver that to the user instead. You must call
+ * otrl_message_free(*messagep) when you're done with it. If tlvsp is
+ * non-NULL, *tlvsp will be set to a chain of any TLVs that were
+ * transmitted along with this message. You must call
+ * otrl_tlv_free(*tlvsp) when you're done with those.
+ *
+ * If otrl_message_receiving returns 0 and *messagep is NULL, then this
+ * was an ordinary, non-OTR message, which should just be delivered to
+ * the user without modification. */
+int otrl_message_receiving(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, const char *accountname, const char *protocol,
+ const char *sender, const char *message, char **newmessagep,
+ OtrlTLV **tlvsp,
+ void (*add_appdata)(void *data, ConnContext *context),
+ void *data)
+{
+ ConnContext *context;
+ OtrlMessageType msgtype;
+ int context_added = 0;
+ OtrlMessageState msgstate;
+ OtrlPolicy policy = OTRL_POLICY_DEFAULT;
+ int fragment_assembled = 0;
+ char *unfragmessage = NULL;
+ EncrData edata;
+
+ if (!accountname || !protocol || !sender || !message || !newmessagep)
+ return 0;
+
+ *newmessagep = NULL;
+ if (tlvsp) *tlvsp = NULL;
+
+ /* Find our context and state with this correspondent */
+ context = otrl_context_find(us, sender, accountname,
+ protocol, 1, &context_added, add_appdata, data);
+
+ /* Update the context list if we added one */
+ if (context_added && ops->update_context_list) {
+ ops->update_context_list(opdata);
+ }
+
+ /* Check the policy */
+ if (ops->policy) {
+ policy = ops->policy(opdata, context);
+ }
+
+ /* Should we go on at all? */
+ if ((policy & OTRL_POLICY_VERSION_MASK) == 0) {
+ return 0;
+ }
+
+ /* See if we have a fragment */
+ switch(otrl_proto_fragment_accumulate(&unfragmessage, context, message)) {
+ case OTRL_FRAGMENT_UNFRAGMENTED:
+ /* Do nothing */
+ break;
+ case OTRL_FRAGMENT_INCOMPLETE:
+ /* We've accumulated this fragment, but we don't have a
+ * complete message yet */
+ return 1;
+ case OTRL_FRAGMENT_COMPLETE:
+ /* We've got a new complete message, in unfragmessage. */
+ fragment_assembled = 1;
+ message = unfragmessage;
+ break;
+ }
+
+ /* What type of message is it? Note that this just checks the
+ * header; it's not necessarily a _valid_ message of this type. */
+ msgtype = otrl_proto_message_type(message);
+ msgstate = context->msgstate;
+
+ /* See if they responded to our OTR offer */
+ if ((policy & OTRL_POLICY_SEND_WHITESPACE_TAG)) {
+ if (msgtype != OTRL_MSGTYPE_NOTOTR) {
+ context->otr_offer = OFFER_ACCEPTED;
+ } else if (context->otr_offer == OFFER_SENT) {
+ context->otr_offer = OFFER_REJECTED;
+ }
+ }
+
+ edata.gone_encrypted = 0;
+ edata.us = us;
+ edata.context = context;
+ edata.ops = ops;
+ edata.opdata = opdata;
+ edata.ignore_message = -1;
+ edata.messagep = newmessagep;
+
+ switch(msgtype) {
+ unsigned int bestversion;
+ const char *startwhite, *endwhite;
+ DH_keypair *our_dh;
+ unsigned int our_keyid;
+ OtrlPrivKey *privkey;
+ gcry_error_t err;
+ int haveauthmsg;
+ case OTRL_MSGTYPE_QUERY:
+ /* See if we should use an existing DH keypair, or generate
+ * a fresh one. */
+ if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED) {
+ our_dh = &(context->our_old_dh_key);
+ our_keyid = context->our_keyid - 1;
+ } else {
+ our_dh = NULL;
+ our_keyid = 0;
+ }
+
+ /* Find the best version of OTR that we both speak */
+ switch(otrl_proto_query_bestversion(message, policy)) {
+ case 2:
+ err = otrl_auth_start_v2(&(context->auth));
+ send_or_error_auth(ops, opdata, err, context);
+ break;
+ case 1:
+ /* Get our private key */
+ privkey = otrl_privkey_find(us, context->accountname,
+ context->protocol);
+ if (privkey == NULL) {
+ /* We've got no private key! */
+ if (ops->create_privkey) {
+ ops->create_privkey(opdata, context->accountname,
+ context->protocol);
+ privkey = otrl_privkey_find(us,
+ context->accountname, context->protocol);
+ }
+ }
+ if (privkey) {
+ err = otrl_auth_start_v1(&(context->auth), our_dh,
+ our_keyid, privkey);
+ send_or_error_auth(ops, opdata, err, context);
+ }
+ break;
+ default:
+ /* Just ignore this message */
+ break;
+ }
+ /* Don't display the Query message to the user. */
+ if (edata.ignore_message == -1) edata.ignore_message = 1;
+ break;
+
+ case OTRL_MSGTYPE_DH_COMMIT:
+ if ((policy & OTRL_POLICY_ALLOW_V2)) {
+ err = otrl_auth_handle_commit(&(context->auth), message);
+ send_or_error_auth(ops, opdata, err, context);
+ }
+
+ if (edata.ignore_message == -1) edata.ignore_message = 1;
+ break;
+
+ case OTRL_MSGTYPE_DH_KEY:
+ if ((policy & OTRL_POLICY_ALLOW_V2)) {
+ /* Get our private key */
+ privkey = otrl_privkey_find(us, context->accountname,
+ context->protocol);
+ if (privkey == NULL) {
+ /* We've got no private key! */
+ if (ops->create_privkey) {
+ ops->create_privkey(opdata, context->accountname,
+ context->protocol);
+ privkey = otrl_privkey_find(us,
+ context->accountname, context->protocol);
+ }
+ }
+ if (privkey) {
+ err = otrl_auth_handle_key(&(context->auth), message,
+ &haveauthmsg, privkey);
+ if (err || haveauthmsg) {
+ send_or_error_auth(ops, opdata, err, context);
+ }
+ }
+ }
+
+ if (edata.ignore_message == -1) edata.ignore_message = 1;
+ break;
+
+ case OTRL_MSGTYPE_REVEALSIG:
+ if ((policy & OTRL_POLICY_ALLOW_V2)) {
+ /* Get our private key */
+ privkey = otrl_privkey_find(us, context->accountname,
+ context->protocol);
+ if (privkey == NULL) {
+ /* We've got no private key! */
+ if (ops->create_privkey) {
+ ops->create_privkey(opdata, context->accountname,
+ context->protocol);
+ privkey = otrl_privkey_find(us,
+ context->accountname, context->protocol);
+ }
+ }
+ if (privkey) {
+ err = otrl_auth_handle_revealsig(&(context->auth),
+ message, &haveauthmsg, privkey, go_encrypted,
+ &edata);
+ if (err || haveauthmsg) {
+ send_or_error_auth(ops, opdata, err, context);
+ maybe_resend(&edata);
+ }
+ }
+ }
+
+ if (edata.ignore_message == -1) edata.ignore_message = 1;
+ break;
+
+ case OTRL_MSGTYPE_SIGNATURE:
+ if ((policy & OTRL_POLICY_ALLOW_V2)) {
+ err = otrl_auth_handle_signature(&(context->auth),
+ message, &haveauthmsg, go_encrypted, &edata);
+ if (err || haveauthmsg) {
+ send_or_error_auth(ops, opdata, err, context);
+ maybe_resend(&edata);
+ }
+ }
+
+ if (edata.ignore_message == -1) edata.ignore_message = 1;
+ break;
+
+ case OTRL_MSGTYPE_V1_KEYEXCH:
+ if ((policy & OTRL_POLICY_ALLOW_V1)) {
+ /* See if we should use an existing DH keypair, or generate
+ * a fresh one. */
+ if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED) {
+ our_dh = &(context->our_old_dh_key);
+ our_keyid = context->our_keyid - 1;
+ } else {
+ our_dh = NULL;
+ our_keyid = 0;
+ }
+
+ /* Get our private key */
+ privkey = otrl_privkey_find(us, context->accountname,
+ context->protocol);
+ if (privkey == NULL) {
+ /* We've got no private key! */
+ if (ops->create_privkey) {
+ ops->create_privkey(opdata, context->accountname,
+ context->protocol);
+ privkey = otrl_privkey_find(us,
+ context->accountname, context->protocol);
+ }
+ }
+ if (privkey) {
+ err = otrl_auth_handle_v1_key_exchange(&(context->auth),
+ message, &haveauthmsg, privkey, our_dh, our_keyid,
+ go_encrypted, &edata);
+ if (err || haveauthmsg) {
+ send_or_error_auth(ops, opdata, err, context);
+ maybe_resend(&edata);
+ }
+ }
+ }
+
+ if (edata.ignore_message == -1) edata.ignore_message = 1;
+ break;
+
+ case OTRL_MSGTYPE_DATA:
+ switch(context->msgstate) {
+ gcry_error_t err;
+ OtrlTLV *tlvs, *tlv;
+ char *plaintext;
+ char *buf;
+ const char *format;
+ const char *displayaccountname;
+ unsigned char flags;
+ NextExpectedSMP nextMsg;
+
+ case OTRL_MSGSTATE_PLAINTEXT:
+ case OTRL_MSGSTATE_FINISHED:
+ /* See if we're supposed to ignore this message in
+ * the event it's unreadable. */
+ err = otrl_proto_data_read_flags(message, &flags);
+ if ((flags & OTRL_MSGFLAGS_IGNORE_UNREADABLE)) {
+ edata.ignore_message = 1;
+ break;
+ }
+
+ /* Don't use g_strdup_printf here, because someone
+ * (not us) is going to free() the *newmessagep pointer,
+ * not g_free() it. */
+ format = "<b>The encrypted message received from %s is "
+ "unreadable, as you are not currently communicating "
+ "privately.</b>";
+ buf = malloc(strlen(format) + strlen(context->username)
+ - 1); /* Remove "%s", add username + '\0' */
+ if (buf) {
+ sprintf(buf, format, context->username);
+ if (ops->display_otr_message) {
+ if (!ops->display_otr_message(opdata, accountname,
+ protocol, sender, buf)) {
+ edata.ignore_message = 1;
+ }
+ }
+ if (edata.ignore_message != 1) {
+ *newmessagep = buf;
+ edata.ignore_message = 0;
+ } else {
+ free(buf);
+ }
+ }
+ format = "?OTR Error: You sent encrypted "
+ "data to %s, who wasn't expecting it.";
+ if (otrl_api_version >= 0x00030100 &&
+ ops->account_name) {
+ displayaccountname = ops->account_name(opdata,
+ context->accountname, protocol);
+ } else {
+ displayaccountname = NULL;
+ }
+ buf = malloc(strlen(format) + strlen(displayaccountname ?
+ displayaccountname : context->accountname)
+ - 1);
+ if (buf) {
+ sprintf(buf, format, displayaccountname ?
+ displayaccountname : context->accountname);
+ if (ops->inject_message) {
+ ops->inject_message(opdata, accountname, protocol,
+ sender, buf);
+ }
+ free(buf);
+ }
+ if (displayaccountname && otrl_api_version >= 0x00030100 &&
+ ops->account_name_free) {
+ ops->account_name_free(opdata, displayaccountname);
+ }
+
+ break;
+
+ case OTRL_MSGSTATE_ENCRYPTED:
+ err = otrl_proto_accept_data(&plaintext, &tlvs, context,
+ message, &flags);
+ if (err) {
+ int is_conflict =
+ (gpg_err_code(err) == GPG_ERR_CONFLICT);
+ if ((flags & OTRL_MSGFLAGS_IGNORE_UNREADABLE)) {
+ edata.ignore_message = 1;
+ break;
+ }
+ format = is_conflict ? "We received an unreadable "
+ "encrypted message from %s." :
+ "We received a malformed data message from %s.";
+ buf = malloc(strlen(format) + strlen(sender) - 1);
+ if (buf) {
+ sprintf(buf, format, sender);
+ if ((!(ops->display_otr_message) ||
+ ops->display_otr_message(opdata,
+ accountname, protocol, sender,
+ buf)) && ops->notify) {
+ ops->notify(opdata, OTRL_NOTIFY_ERROR,
+ accountname, protocol, sender,
+ "OTR Error", buf, NULL);
+ }
+ free(buf);
+ }
+ if (ops->inject_message) {
+ ops->inject_message(opdata, accountname, protocol,
+ sender, is_conflict ? "?OTR Error: "
+ "You transmitted an unreadable "
+ "encrypted message." :
+ "?OTR Error: You transmitted "
+ "a malformed data message");
+ }
+ edata.ignore_message = 1;
+ break;
+ }
+
+ /* If the other side told us he's disconnected his
+ * private connection, make a note of that so we
+ * don't try sending anything else to him. */
+ if (otrl_tlv_find(tlvs, OTRL_TLV_DISCONNECTED)) {
+ otrl_context_force_finished(context);
+ }
+
+ /* If TLVs contain SMP data, process it */
+ nextMsg = context->smstate->nextExpected;
+ tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP1Q);
+ if (tlv && nextMsg == OTRL_SMP_EXPECT1) {
+ /* We can only do the verification half now.
+ * We must wait for the secret to be entered
+ * to continue. */
+ char *question = (char *)tlv->data;
+ char *qend = memchr(question, '\0', tlv->len - 1);
+ size_t qlen = qend ? (qend - question + 1) : tlv->len;
+ otrl_sm_step2a(context->smstate, tlv->data + qlen,
+ tlv->len - qlen, 1);
+ }
+ tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP1);
+ if (tlv && nextMsg == OTRL_SMP_EXPECT1) {
+ /* We can only do the verification half now.
+ * We must wait for the secret to be entered
+ * to continue. */
+ otrl_sm_step2a(context->smstate, tlv->data, tlv->len,
+ 0);
+ }
+ tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP2);
+ if (tlv && nextMsg == OTRL_SMP_EXPECT2) {
+ unsigned char* nextmsg;
+ int nextmsglen;
+ OtrlTLV *sendtlv;
+ char *sendsmp;
+ otrl_sm_step3(context->smstate, tlv->data, tlv->len,
+ &nextmsg, &nextmsglen);
+
+ if (context->smstate->sm_prog_state !=
+ OTRL_SMP_PROG_CHEATED) {
+ /* Send msg with next smp msg content */
+ sendtlv = otrl_tlv_new(OTRL_TLV_SMP3, nextmsglen,
+ nextmsg);
+ err = otrl_proto_create_data(&sendsmp,
+ context, "", sendtlv,
+ OTRL_MSGFLAGS_IGNORE_UNREADABLE);
+ if (!err) {
+ err = otrl_message_fragment_and_send(ops,
+ opdata, context, sendsmp,
+ OTRL_FRAGMENT_SEND_ALL, NULL);
+ }
+ free(sendsmp);
+ otrl_tlv_free(sendtlv);
+ }
+ free(nextmsg);
+ }
+ tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP3);
+ if (tlv && nextMsg == OTRL_SMP_EXPECT3) {
+ unsigned char* nextmsg;
+ int nextmsglen;
+ OtrlTLV *sendtlv;
+ char *sendsmp;
+ err = otrl_sm_step4(context->smstate, tlv->data,
+ tlv->len, &nextmsg, &nextmsglen);
+ /* Set trust level based on result */
+ if (context->smstate->received_question == 0) {
+ set_smp_trust(ops, opdata, context,
+ (err == gcry_error(GPG_ERR_NO_ERROR)));
+ }
+
+ if (context->smstate->sm_prog_state !=
+ OTRL_SMP_PROG_CHEATED) {
+ /* Send msg with next smp msg content */
+ sendtlv = otrl_tlv_new(OTRL_TLV_SMP4, nextmsglen,
+ nextmsg);
+ err = otrl_proto_create_data(&sendsmp,
+ context, "", sendtlv,
+ OTRL_MSGFLAGS_IGNORE_UNREADABLE);
+ if (!err) {
+ err = otrl_message_fragment_and_send(ops,
+ opdata, context, sendsmp,
+ OTRL_FRAGMENT_SEND_ALL, NULL);
+ }
+ free(sendsmp);
+ otrl_tlv_free(sendtlv);
+ }
+ free(nextmsg);
+ }
+ tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP4);
+ if (tlv && nextMsg == OTRL_SMP_EXPECT4) {
+ err = otrl_sm_step5(context->smstate, tlv->data,
+ tlv->len);
+ /* Set trust level based on result */
+ set_smp_trust(ops, opdata, context,
+ (err == gcry_error(GPG_ERR_NO_ERROR)));
+ }
+ tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP_ABORT);
+ if (tlv) {
+ context->smstate->nextExpected = OTRL_SMP_EXPECT1;
+ }
+ if (plaintext[0] == '\0') {
+ /* If it's a heartbeat (an empty message), don't
+ * display it to the user, but log a debug message. */
+ format = "Heartbeat received from %s.\n";
+ buf = malloc(strlen(format) + strlen(sender) - 1);
+ if (buf) {
+ sprintf(buf, format, sender);
+ if (ops->log_message) {
+ ops->log_message(opdata, buf);
+ }
+ free(buf);
+ }
+ edata.ignore_message = 1;
+ } else if (edata.ignore_message == 0 &&
+ context->their_keyid > 0) {
+ /* If it's *not* a heartbeat, and we haven't
+ * sent anything in a while, also send a
+ * heartbeat. */
+ time_t now = time(NULL);
+ if (context->lastsent < (now - HEARTBEAT_INTERVAL)) {
+ char *heartbeat;
+
+ /* Create the heartbeat message */
+ err = otrl_proto_create_data(&heartbeat,
+ context, "", NULL,
+ OTRL_MSGFLAGS_IGNORE_UNREADABLE);
+ if (!err) {
+ /* Send it, and log a debug message */
+ if (ops->inject_message) {
+ ops->inject_message(opdata, accountname,
+ protocol, sender, heartbeat);
+ }
+ free(heartbeat);
+
+ context->lastsent = now;
+
+ /* Log a debug message */
+ format = "Heartbeat sent to %s.\n";
+ buf = malloc(strlen(format) + strlen(sender)
+ - 1);
+ if (buf) {
+ sprintf(buf, format, sender);
+ if (ops->log_message) {
+ ops->log_message(opdata, buf);
+ }
+ free(buf);
+ }
+ }
+ }
+ }
+
+ /* Return the TLVs even if ignore_message == 1 so
+ * that we can attach TLVs to heartbeats. */
+ if (tlvsp) {
+ *tlvsp = tlvs;
+ } else {
+ otrl_tlv_free(tlvs);
+ }
+
+ if (edata.ignore_message != 1) {
+ *newmessagep = plaintext;
+ edata.ignore_message = 0;
+ } else {
+ free(plaintext);
+ }
+ break;
+ }
+ break;
+
+ case OTRL_MSGTYPE_ERROR:
+ if ((policy & OTRL_POLICY_ERROR_START_AKE)) {
+ char *msgtosend = otrl_proto_default_query_msg(
+ context->accountname, policy);
+ if (msgtosend && ops->inject_message) {
+ ops->inject_message(opdata, context->accountname,
+ context->protocol, context->username,
+ msgtosend);
+ }
+ free(msgtosend);
+ }
+
+ if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED) {
+ /* Mark the last message we sent as eligible for
+ * retransmission */
+ context->may_retransmit = 1;
+ }
+
+ /* In any event, display the error message, with the
+ * display_otr_message callback, if possible */
+ if (ops->display_otr_message) {
+ const char *otrerror = strstr(message, "?OTR Error:");
+ if (otrerror) {
+ /* Skip the leading '?' */
+ ++otrerror;
+ } else {
+ otrerror = message;
+ }
+ if (!ops->display_otr_message(opdata, accountname, protocol,
+ sender, otrerror)) {
+ edata.ignore_message = 1;
+ }
+ }
+ break;
+
+ case OTRL_MSGTYPE_TAGGEDPLAINTEXT:
+ /* Strip the tag from the message */
+ bestversion = otrl_proto_whitespace_bestversion(message,
+ &startwhite, &endwhite, policy);
+ if (startwhite && endwhite) {
+ size_t restlen = strlen(endwhite);
+ char *strippedmsg = _strdup(message);
+
+ if (strippedmsg) {
+ memmove(strippedmsg + (startwhite - message),
+ strippedmsg + (endwhite - message), restlen+1);
+ *newmessagep = strippedmsg;
+ edata.ignore_message = 0;
+ }
+ }
+ if (bestversion && context->msgstate != OTRL_MSGSTATE_ENCRYPTED
+ && (policy & OTRL_POLICY_WHITESPACE_START_AKE)) {
+ switch(bestversion) {
+ case 2:
+ err = otrl_auth_start_v2(&(context->auth));
+ send_or_error_auth(ops, opdata, err, context);
+ break;
+ case 1:
+ /* Get our private key */
+ privkey = otrl_privkey_find(us, context->accountname,
+ context->protocol);
+ if (privkey == NULL) {
+ /* We've got no private key! */
+ if (ops->create_privkey) {
+ ops->create_privkey(opdata,
+ context->accountname,
+ context->protocol);
+ privkey = otrl_privkey_find(us,
+ context->accountname,
+ context->protocol);
+ }
+ }
+ if (privkey) {
+ err = otrl_auth_start_v1(&(context->auth), NULL, 0,
+ privkey);
+ send_or_error_auth(ops, opdata, err, context);
+ }
+ break;
+ default:
+ /* Don't start the AKE */
+ break;
+ }
+ }
+
+ /* FALLTHROUGH */
+ case OTRL_MSGTYPE_NOTOTR:
+ if (context->msgstate != OTRL_MSGSTATE_PLAINTEXT ||
+ (policy & OTRL_POLICY_REQUIRE_ENCRYPTION)) {
+ /* Not fine. Let the user know. */
+
+ /* Don't use g_strdup_printf here, because someone
+ * (not us) is going to free() the *message pointer,
+ * not g_free() it. */
+ const char *plainmsg = (*newmessagep) ? *newmessagep : message;
+ const char *format = "The following message received "
+ "from %s was not encrypted: [</b>%s<b>]";
+ char *buf = malloc(strlen(format) + strlen(context->username)
+ + strlen(plainmsg) - 3);
+ /* Remove "%s%s", add username + message + '\0' */
+ if (buf) {
+ sprintf(buf, format, context->username, plainmsg);
+ if (ops->display_otr_message) {
+ if (!ops->display_otr_message(opdata, accountname,
+ protocol, sender, buf)) {
+ free(*newmessagep);
+ *newmessagep = NULL;
+ edata.ignore_message = 1;
+ }
+ }
+ if (edata.ignore_message != 1) {
+ free(*newmessagep);
+ *newmessagep = buf;
+ edata.ignore_message = 0;
+ } else {
+ free(buf);
+ }
+ }
+ }
+ break;
+
+ case OTRL_MSGTYPE_UNKNOWN:
+ /* We received an OTR message we didn't recognize. Ignore
+ * it, but make a log entry. */
+ if (ops->log_message) {
+ const char *format = "Unrecognized OTR message received "
+ "from %s.\n";
+ char *buf = malloc(strlen(format) + strlen(sender) - 1);
+ if (buf) {
+ sprintf(buf, format, sender);
+ ops->log_message(opdata, buf);
+ free(buf);
+ }
+ }
+ if (edata.ignore_message == -1) edata.ignore_message = 1;
+ break;
+ }
+
+ /* If we reassembled a fragmented message, we need to free the
+ * allocated memory now. */
+ if (fragment_assembled) {
+ free(unfragmessage);
+ }
+
+ if (edata.ignore_message == -1) edata.ignore_message = 0;
+ return edata.ignore_message;
+}
+
+/* Send a message to the network, fragmenting first if necessary.
+ * All messages to be sent to the network should go through this
+ * method immediately before they are sent, ie after encryption. */
+gcry_error_t otrl_message_fragment_and_send(const OtrlMessageAppOps *ops,
+ void *opdata, ConnContext *context, const char *message,
+ OtrlFragmentPolicy fragPolicy, char **returnFragment)
+{
+ int mms = 0;
+ if (message && ops->inject_message) {
+ int msglen;
+
+ if (otrl_api_version >= 0x030100 && ops->max_message_size) {
+ mms = ops->max_message_size(opdata, context);
+ }
+ msglen = strlen(message);
+
+ /* Don't incur overhead of fragmentation unless necessary */
+ if(mms != 0 && msglen > mms) {
+ char **fragments;
+ gcry_error_t err;
+ int i;
+ int fragment_count = ((msglen - 1) / (mms -19)) + 1;
+ /* like ceil(msglen/(mms - 19)) */
+
+ err = otrl_proto_fragment_create(mms, fragment_count, &fragments,
+ message);
+ if (err) {
+ return err;
+ }
+
+ /* Determine which fragments to send and which to return
+ * based on given Fragment Policy. If the first fragment
+ * should be returned instead of sent, store it. */
+ if (fragPolicy == OTRL_FRAGMENT_SEND_ALL_BUT_FIRST) {
+ *returnFragment = _strdup(fragments[0]);
+ } else {
+ ops->inject_message(opdata, context->accountname,
+ context->protocol, context->username, fragments[0]);
+ }
+ for (i=1; i<fragment_count-1; i++) {
+ ops->inject_message(opdata, context->accountname,
+ context->protocol, context->username, fragments[i]);
+ }
+ /* If the last fragment should be stored instead of sent,
+ * store it */
+ if (fragPolicy == OTRL_FRAGMENT_SEND_ALL_BUT_LAST) {
+ *returnFragment = _strdup(fragments[fragment_count-1]);
+ } else {
+ ops->inject_message(opdata, context->accountname,
+ context->protocol, context->username, fragments[fragment_count-1]);
+ }
+ /* Now free all fragment memory */
+ otrl_proto_fragment_free(&fragments, fragment_count);
+
+ } else {
+ /* No fragmentation necessary */
+ if (fragPolicy == OTRL_FRAGMENT_SEND_ALL) {
+ ops->inject_message(opdata, context->accountname,
+ context->protocol, context->username, message);
+ } else {
+ /* Copy and return the entire given message. */
+ int l = strlen(message) + 1;
+ *returnFragment = malloc(sizeof(char)*l);
+ strcpy(*returnFragment, message);
+ }
+ }
+ }
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Put a connection into the PLAINTEXT state, first sending the
+ * other side a notice that we're doing so if we're currently ENCRYPTED,
+ * and we think he's logged in. */
+void otrl_message_disconnect(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, const char *accountname, const char *protocol,
+ const char *username)
+{
+ ConnContext *context = otrl_context_find(us, username, accountname,
+ protocol, 0, NULL, NULL, NULL);
+
+ if (!context) return;
+
+ if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED &&
+ context->their_keyid > 0 &&
+ ops->is_logged_in &&
+ ops->is_logged_in(opdata, accountname, protocol, username) == 1) {
+ if (ops->inject_message) {
+ char *encmsg = NULL;
+ gcry_error_t err;
+ OtrlTLV *tlv = otrl_tlv_new(OTRL_TLV_DISCONNECTED, 0, NULL);
+
+ err = otrl_proto_create_data(&encmsg, context, "", tlv,
+ OTRL_MSGFLAGS_IGNORE_UNREADABLE);
+ if (!err) {
+ ops->inject_message(opdata, accountname, protocol,
+ username, encmsg);
+ }
+ free(encmsg);
+ }
+ }
+
+ otrl_context_force_plaintext(context);
+ if (ops->update_context_list) {
+ ops->update_context_list(opdata);
+ }
+}
diff --git a/plugins/MirOTR/libotr/src/message.h b/plugins/MirOTR/libotr/src/message.h
new file mode 100644
index 0000000000..e658e9d4b1
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/message.h
@@ -0,0 +1,210 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __MESSAGE_H__
+#define __MESSAGE_H__
+
+typedef enum {
+ OTRL_NOTIFY_ERROR,
+ OTRL_NOTIFY_WARNING,
+ OTRL_NOTIFY_INFO
+} OtrlNotifyLevel;
+
+typedef struct s_OtrlMessageAppOps {
+ /* Return the OTR policy for the given context. */
+ OtrlPolicy (*policy)(void *opdata, ConnContext *context);
+
+ /* Create a private key for the given accountname/protocol if
+ * desired. */
+ void (*create_privkey)(void *opdata, const char *accountname,
+ const char *protocol);
+
+ /* Report whether you think the given user is online. Return 1 if
+ * you think he is, 0 if you think he isn't, -1 if you're not sure.
+ *
+ * If you return 1, messages such as heartbeats or other
+ * notifications may be sent to the user, which could result in "not
+ * logged in" errors if you're wrong. */
+ int (*is_logged_in)(void *opdata, const char *accountname,
+ const char *protocol, const char *recipient);
+
+ /* Send the given IM to the given recipient from the given
+ * accountname/protocol. */
+ void (*inject_message)(void *opdata, const char *accountname,
+ const char *protocol, const char *recipient, const char *message);
+
+ /* Display a notification message for a particular accountname /
+ * protocol / username conversation. */
+ void (*notify)(void *opdata, OtrlNotifyLevel level,
+ const char *accountname, const char *protocol,
+ const char *username, const char *title,
+ const char *primary, const char *secondary);
+
+ /* Display an OTR control message for a particular accountname /
+ * protocol / username conversation. Return 0 if you are able to
+ * successfully display it. If you return non-0 (or if this
+ * function is NULL), the control message will be displayed inline,
+ * as a received message, or else by using the above notify()
+ * callback. */
+ int (*display_otr_message)(void *opdata, const char *accountname,
+ const char *protocol, const char *username, const char *msg);
+
+ /* When the list of ConnContexts changes (including a change in
+ * state), this is called so the UI can be updated. */
+ void (*update_context_list)(void *opdata);
+
+ /* Return a newly allocated string containing a human-friendly name
+ * for the given protocol id */
+ const char *(*protocol_name)(void *opdata, const char *protocol);
+
+ /* Deallocate a string allocated by protocol_name */
+ void (*protocol_name_free)(void *opdata, const char *protocol_name);
+
+ /* A new fingerprint for the given user has been received. */
+ void (*new_fingerprint)(void *opdata, OtrlUserState us,
+ const char *accountname, const char *protocol,
+ const char *username, unsigned char fingerprint[20]);
+
+ /* The list of known fingerprints has changed. Write them to disk. */
+ void (*write_fingerprints)(void *opdata);
+
+ /* A ConnContext has entered a secure state. */
+ void (*gone_secure)(void *opdata, ConnContext *context);
+
+ /* A ConnContext has left a secure state. */
+ void (*gone_insecure)(void *opdata, ConnContext *context);
+
+ /* We have completed an authentication, using the D-H keys we
+ * already knew. is_reply indicates whether we initiated the AKE. */
+ void (*still_secure)(void *opdata, ConnContext *context, int is_reply);
+
+ /* Log a message. The passed message will end in "\n". */
+ void (*log_message)(void *opdata, const char *message);
+
+ /* Find the maximum message size supported by this protocol. */
+ int (*max_message_size)(void *opdata, ConnContext *context);
+
+ /* Return a newly allocated string containing a human-friendly
+ * representation for the given account */
+ const char *(*account_name)(void *opdata, const char *account,
+ const char *protocol);
+
+ /* Deallocate a string returned by account_name */
+ void (*account_name_free)(void *opdata, const char *account_name);
+
+} OtrlMessageAppOps;
+
+/* Deallocate a message allocated by other otrl_message_* routines. */
+void otrl_message_free(char *message);
+
+/* Handle a message about to be sent to the network. It is safe to pass
+ * all messages about to be sent to this routine. add_appdata is a
+ * function that will be called in the event that a new ConnContext is
+ * created. It will be passed the data that you supplied, as well as a
+ * pointer to the new ConnContext. You can use this to add
+ * application-specific information to the ConnContext using the
+ * "context->app" field, for example. If you don't need to do this, you
+ * can pass NULL for the last two arguments of otrl_message_sending.
+ *
+ * tlvs is a chain of OtrlTLVs to append to the private message. It is
+ * usually correct to just pass NULL here.
+ *
+ * If this routine returns non-zero, then the library tried to encrypt
+ * the message, but for some reason failed. DO NOT send the message in
+ * the clear in that case.
+ *
+ * If *messagep gets set by the call to something non-NULL, then you
+ * should replace your message with the contents of *messagep, and
+ * send that instead. Call otrl_message_free(*messagep) when you're
+ * done with it. */
+gcry_error_t otrl_message_sending(OtrlUserState us,
+ const OtrlMessageAppOps *ops,
+ void *opdata, const char *accountname, const char *protocol,
+ const char *recipient, const char *message, OtrlTLV *tlvs,
+ char **messagep,
+ void (*add_appdata)(void *data, ConnContext *context),
+ void *data);
+
+/* Handle a message just received from the network. It is safe to pass
+ * all received messages to this routine. add_appdata is a function
+ * that will be called in the event that a new ConnContext is created.
+ * It will be passed the data that you supplied, as well as
+ * a pointer to the new ConnContext. You can use this to add
+ * application-specific information to the ConnContext using the
+ * "context->app" field, for example. If you don't need to do this, you
+ * can pass NULL for the last two arguments of otrl_message_receiving.
+ *
+ * If otrl_message_receiving returns 1, then the message you received
+ * was an internal protocol message, and no message should be delivered
+ * to the user.
+ *
+ * If it returns 0, then check if *messagep was set to non-NULL. If
+ * so, replace the received message with the contents of *messagep, and
+ * deliver that to the user instead. You must call
+ * otrl_message_free(*messagep) when you're done with it. If tlvsp is
+ * non-NULL, *tlvsp will be set to a chain of any TLVs that were
+ * transmitted along with this message. You must call
+ * otrl_tlv_free(*tlvsp) when you're done with those.
+ *
+ * If otrl_message_receiving returns 0 and *messagep is NULL, then this
+ * was an ordinary, non-OTR message, which should just be delivered to
+ * the user without modification. */
+int otrl_message_receiving(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, const char *accountname, const char *protocol,
+ const char *sender, const char *message, char **newmessagep,
+ OtrlTLV **tlvsp,
+ void (*add_appdata)(void *data, ConnContext *context),
+ void *data);
+
+/* Send a message to the network, fragmenting first if necessary.
+ * All messages to be sent to the network should go through this
+ * method immediately before they are sent, ie after encryption. */
+gcry_error_t otrl_message_fragment_and_send(const OtrlMessageAppOps *ops,
+ void *opdata, ConnContext *context, const char *message,
+ OtrlFragmentPolicy fragPolicy, char **returnFragment);
+
+/* Put a connection into the PLAINTEXT state, first sending the
+ * other side a notice that we're doing so if we're currently ENCRYPTED,
+ * and we think he's logged in. */
+void otrl_message_disconnect(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, const char *accountname, const char *protocol,
+ const char *username);
+
+/* Initiate the Socialist Millionaires' Protocol */
+void otrl_message_initiate_smp(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, ConnContext *context, const unsigned char *secret,
+ size_t secretlen);
+
+/* Initiate the Socialist Millionaires' Protocol and send a prompt
+ * question to the buddy */
+void otrl_message_initiate_smp_q(OtrlUserState us,
+ const OtrlMessageAppOps *ops, void *opdata, ConnContext *context,
+ const char *question, const unsigned char *secret, size_t secretlen);
+
+/* Respond to a buddy initiating the Socialist Millionaires' Protocol */
+void otrl_message_respond_smp(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, ConnContext *context, const unsigned char *secret,
+ size_t secretlen);
+
+/* Abort the SMP. Called when an unexpected SMP message breaks the
+ * normal flow. */
+void otrl_message_abort_smp(OtrlUserState us, const OtrlMessageAppOps *ops,
+ void *opdata, ConnContext *context);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/privkey-t.h b/plugins/MirOTR/libotr/src/privkey-t.h
new file mode 100644
index 0000000000..3421b8baac
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/privkey-t.h
@@ -0,0 +1,39 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __PRIVKEY_T_H__
+#define __PRIVKEY_T_H__
+
+#include <gcrypt.h>
+
+typedef struct s_OtrlPrivKey {
+ struct s_OtrlPrivKey *next;
+ struct s_OtrlPrivKey **tous;
+
+ char *accountname;
+ char *protocol;
+ unsigned short pubkey_type;
+ gcry_sexp_t privkey;
+ unsigned char *pubkey_data;
+ size_t pubkey_datalen;
+} OtrlPrivKey;
+
+#define OTRL_PUBKEY_TYPE_DSA 0x0000
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/privkey.c b/plugins/MirOTR/libotr/src/privkey.c
new file mode 100644
index 0000000000..498bfae39a
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/privkey.c
@@ -0,0 +1,749 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* system headers */
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/stat.h>
+
+/* libgcrypt headers */
+#include <gcrypt.h>
+
+/* libotr headers */
+#include "privkey.h"
+#include "serial.h"
+
+/* Convert a 20-byte hash value to a 45-byte human-readable value */
+void otrl_privkey_hash_to_human(char human[45], const unsigned char hash[20])
+{
+ int word, byte;
+ char *p = human;
+
+ for(word=0; word<5; ++word) {
+ for(byte=0; byte<4; ++byte) {
+ sprintf(p, "%02X", hash[word*4+byte]);
+ p += 2;
+ }
+ *(p++) = ' ';
+ }
+ /* Change that last ' ' to a '\0' */
+ --p;
+ *p = '\0';
+}
+
+/* Calculate a human-readable hash of our DSA public key. Return it in
+ * the passed fingerprint buffer. Return NULL on error, or a pointer to
+ * the given buffer on success. */
+char *otrl_privkey_fingerprint(OtrlUserState us, char fingerprint[45],
+ const char *accountname, const char *protocol)
+{
+ unsigned char hash[20];
+ OtrlPrivKey *p = otrl_privkey_find(us, accountname, protocol);
+
+ if (p) {
+ /* Calculate the hash */
+ gcry_md_hash_buffer(GCRY_MD_SHA1, hash, p->pubkey_data,
+ p->pubkey_datalen);
+
+ /* Now convert it to a human-readable format */
+ otrl_privkey_hash_to_human(fingerprint, hash);
+ } else {
+ return NULL;
+ }
+
+ return fingerprint;
+}
+
+/* Calculate a raw hash of our DSA public key. Return it in the passed
+ * fingerprint buffer. Return NULL on error, or a pointer to the given
+ * buffer on success. */
+unsigned char *otrl_privkey_fingerprint_raw(OtrlUserState us,
+ unsigned char hash[20], const char *accountname, const char *protocol)
+{
+ OtrlPrivKey *p = otrl_privkey_find(us, accountname, protocol);
+
+ if (p) {
+ /* Calculate the hash */
+ gcry_md_hash_buffer(GCRY_MD_SHA1, hash, p->pubkey_data,
+ p->pubkey_datalen);
+ } else {
+ return NULL;
+ }
+
+ return hash;
+}
+
+/* Create a public key block from a private key */
+static gcry_error_t make_pubkey(unsigned char **pubbufp, size_t *publenp,
+ gcry_sexp_t privkey)
+{
+ gcry_mpi_t p,q,g,y;
+ gcry_sexp_t dsas,ps,qs,gs,ys;
+ size_t np,nq,ng,ny;
+ enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ unsigned char *bufp;
+ size_t lenp;
+
+ *pubbufp = NULL;
+ *publenp = 0;
+
+ /* Extract the public parameters */
+ dsas = gcry_sexp_find_token(privkey, "dsa", 0);
+ if (dsas == NULL) {
+ return gcry_error(GPG_ERR_UNUSABLE_SECKEY);
+ }
+ ps = gcry_sexp_find_token(dsas, "p", 0);
+ qs = gcry_sexp_find_token(dsas, "q", 0);
+ gs = gcry_sexp_find_token(dsas, "g", 0);
+ ys = gcry_sexp_find_token(dsas, "y", 0);
+ gcry_sexp_release(dsas);
+ if (!ps || !qs || !gs || !ys) {
+ gcry_sexp_release(ps);
+ gcry_sexp_release(qs);
+ gcry_sexp_release(gs);
+ gcry_sexp_release(ys);
+ return gcry_error(GPG_ERR_UNUSABLE_SECKEY);
+ }
+ p = gcry_sexp_nth_mpi(ps, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release(ps);
+ q = gcry_sexp_nth_mpi(qs, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release(qs);
+ g = gcry_sexp_nth_mpi(gs, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release(gs);
+ y = gcry_sexp_nth_mpi(ys, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release(ys);
+ if (!p || !q || !g || !y) {
+ gcry_mpi_release(p);
+ gcry_mpi_release(q);
+ gcry_mpi_release(g);
+ gcry_mpi_release(y);
+ return gcry_error(GPG_ERR_UNUSABLE_SECKEY);
+ }
+
+ *publenp = 0;
+ gcry_mpi_print(format, NULL, 0, &np, p);
+ *publenp += np + 4;
+ gcry_mpi_print(format, NULL, 0, &nq, q);
+ *publenp += nq + 4;
+ gcry_mpi_print(format, NULL, 0, &ng, g);
+ *publenp += ng + 4;
+ gcry_mpi_print(format, NULL, 0, &ny, y);
+ *publenp += ny + 4;
+
+ *pubbufp = malloc(*publenp);
+ if (*pubbufp == NULL) {
+ gcry_mpi_release(p);
+ gcry_mpi_release(q);
+ gcry_mpi_release(g);
+ gcry_mpi_release(y);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ bufp = *pubbufp;
+ lenp = *publenp;
+
+ write_mpi(p,np,"P");
+ write_mpi(q,nq,"Q");
+ write_mpi(g,ng,"G");
+ write_mpi(y,ny,"Y");
+
+ gcry_mpi_release(p);
+ gcry_mpi_release(q);
+ gcry_mpi_release(g);
+ gcry_mpi_release(y);
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Read a sets of private DSA keys from a file on disk into the given
+ * OtrlUserState. */
+gcry_error_t otrl_privkey_read(OtrlUserState us, const char *filename)
+{
+ FILE *privf;
+ gcry_error_t err;
+
+ /* Open the privkey file. We use rb mode so that on WIN32, fread()
+ * reads the same number of bytes that fstat() indicates are in the
+ * file. */
+ privf = fopen(filename, "rb");
+ if (!privf) {
+ err = gcry_error_from_errno(errno);
+ return err;
+ }
+
+ err = otrl_privkey_read_FILEp(us, privf);
+
+ fclose(privf);
+ return err;
+}
+
+/* Read a sets of private DSA keys from a FILE* into the given
+ * OtrlUserState. The FILE* must be open for reading. */
+gcry_error_t otrl_privkey_read_FILEp(OtrlUserState us, FILE *privf)
+{
+ int privfd;
+ struct stat st;
+ char *buf;
+ const char *token;
+ size_t tokenlen;
+ gcry_error_t err;
+ gcry_sexp_t allkeys;
+ size_t i;
+
+ if (!privf) return gcry_error(GPG_ERR_NO_ERROR);
+
+ /* Release any old ideas we had about our keys */
+ otrl_privkey_forget_all(us);
+
+ /* Load the data into a buffer */
+ privfd = _fileno(privf);
+ if (fstat(privfd, &st)) {
+ err = gcry_error_from_errno(errno);
+ return err;
+ }
+ buf = malloc(st.st_size);
+ if (!buf && st.st_size > 0) {
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ if (fread(buf, st.st_size, 1, privf) != 1) {
+ err = gcry_error_from_errno(errno);
+ free(buf);
+ return err;
+ }
+
+ err = gcry_sexp_new(&allkeys, buf, st.st_size, 0);
+ free(buf);
+ if (err) {
+ return err;
+ }
+
+ token = gcry_sexp_nth_data(allkeys, 0, &tokenlen);
+ if (tokenlen != 8 || strncmp(token, "privkeys", 8)) {
+ gcry_sexp_release(allkeys);
+ return gcry_error(GPG_ERR_UNUSABLE_SECKEY);
+ }
+
+ /* Get each account */
+ for(i=1; i<gcry_sexp_length(allkeys); ++i) {
+ gcry_sexp_t names, protos, privs;
+ char *name, *proto;
+ gcry_sexp_t accounts;
+ OtrlPrivKey *p;
+
+ /* Get the ith "account" S-exp */
+ accounts = gcry_sexp_nth(allkeys, i);
+
+ /* It's really an "account" S-exp? */
+ token = gcry_sexp_nth_data(accounts, 0, &tokenlen);
+ if (tokenlen != 7 || strncmp(token, "account", 7)) {
+ gcry_sexp_release(accounts);
+ gcry_sexp_release(allkeys);
+ return gcry_error(GPG_ERR_UNUSABLE_SECKEY);
+ }
+ /* Extract the name, protocol, and privkey S-exps */
+ names = gcry_sexp_find_token(accounts, "name", 0);
+ protos = gcry_sexp_find_token(accounts, "protocol", 0);
+ privs = gcry_sexp_find_token(accounts, "private-key", 0);
+ gcry_sexp_release(accounts);
+ if (!names || !protos || !privs) {
+ gcry_sexp_release(names);
+ gcry_sexp_release(protos);
+ gcry_sexp_release(privs);
+ gcry_sexp_release(allkeys);
+ return gcry_error(GPG_ERR_UNUSABLE_SECKEY);
+ }
+ /* Extract the actual name and protocol */
+ token = gcry_sexp_nth_data(names, 1, &tokenlen);
+ if (!token) {
+ gcry_sexp_release(names);
+ gcry_sexp_release(protos);
+ gcry_sexp_release(privs);
+ gcry_sexp_release(allkeys);
+ return gcry_error(GPG_ERR_UNUSABLE_SECKEY);
+ }
+ name = malloc(tokenlen + 1);
+ if (!name) {
+ gcry_sexp_release(names);
+ gcry_sexp_release(protos);
+ gcry_sexp_release(privs);
+ gcry_sexp_release(allkeys);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ memmove(name, token, tokenlen);
+ name[tokenlen] = '\0';
+ gcry_sexp_release(names);
+
+ token = gcry_sexp_nth_data(protos, 1, &tokenlen);
+ if (!token) {
+ free(name);
+ gcry_sexp_release(protos);
+ gcry_sexp_release(privs);
+ gcry_sexp_release(allkeys);
+ return gcry_error(GPG_ERR_UNUSABLE_SECKEY);
+ }
+ proto = malloc(tokenlen + 1);
+ if (!proto) {
+ free(name);
+ gcry_sexp_release(protos);
+ gcry_sexp_release(privs);
+ gcry_sexp_release(allkeys);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ memmove(proto, token, tokenlen);
+ proto[tokenlen] = '\0';
+ gcry_sexp_release(protos);
+
+ /* Make a new OtrlPrivKey entry */
+ p = malloc(sizeof(*p));
+ if (!p) {
+ free(name);
+ free(proto);
+ gcry_sexp_release(privs);
+ gcry_sexp_release(allkeys);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+
+ /* Fill it in and link it up */
+ p->accountname = name;
+ p->protocol = proto;
+ p->pubkey_type = OTRL_PUBKEY_TYPE_DSA;
+ p->privkey = privs;
+ p->next = us->privkey_root;
+ if (p->next) {
+ p->next->tous = &(p->next);
+ }
+ p->tous = &(us->privkey_root);
+ us->privkey_root = p;
+ err = make_pubkey(&(p->pubkey_data), &(p->pubkey_datalen), p->privkey);
+ if (err) {
+ gcry_sexp_release(allkeys);
+ otrl_privkey_forget(p);
+ return gcry_error(GPG_ERR_UNUSABLE_SECKEY);
+ }
+ }
+ gcry_sexp_release(allkeys);
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+static gcry_error_t sexp_write(FILE *privf, gcry_sexp_t sexp)
+{
+ size_t buflen;
+ char *buf;
+
+ buflen = gcry_sexp_sprint(sexp, GCRYSEXP_FMT_ADVANCED, NULL, 0);
+ buf = malloc(buflen);
+ if (buf == NULL && buflen > 0) {
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ gcry_sexp_sprint(sexp, GCRYSEXP_FMT_ADVANCED, buf, buflen);
+
+ fprintf(privf, "%s", buf);
+ free(buf);
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+static gcry_error_t account_write(FILE *privf, const char *accountname,
+ const char *protocol, gcry_sexp_t privkey)
+{
+ gcry_error_t err;
+ gcry_sexp_t names, protos;
+
+ fprintf(privf, " (account\n");
+
+ err = gcry_sexp_build(&names, NULL, "(name %s)", accountname);
+ if (!err) {
+ err = sexp_write(privf, names);
+ gcry_sexp_release(names);
+ }
+ if (!err) err = gcry_sexp_build(&protos, NULL, "(protocol %s)", protocol);
+ if (!err) {
+ err = sexp_write(privf, protos);
+ gcry_sexp_release(protos);
+ }
+ if (!err) err = sexp_write(privf, privkey);
+
+ fprintf(privf, " )\n");
+
+ return err;
+}
+
+/* Generate a private DSA key for a given account, storing it into a
+ * file on disk, and loading it into the given OtrlUserState. Overwrite any
+ * previously generated keys for that account in that OtrlUserState. */
+gcry_error_t otrl_privkey_generate(OtrlUserState us, const char *filename,
+ const char *accountname, const char *protocol)
+{
+ gcry_error_t err;
+ FILE *privf;
+#ifndef WIN32
+ mode_t oldmask;
+#endif
+
+#ifndef WIN32
+ oldmask = umask(077);
+#endif
+ privf = fopen(filename, "w+b");
+ if (!privf) {
+#ifndef WIN32
+ umask(oldmask);
+#endif
+ err = gcry_error_from_errno(errno);
+ return err;
+ }
+
+ err = otrl_privkey_generate_FILEp(us, privf, accountname, protocol);
+
+ fclose(privf);
+#ifndef WIN32
+ umask(oldmask);
+#endif
+ return err;
+}
+
+/* Generate a private DSA key for a given account, storing it into a
+ * FILE*, and loading it into the given OtrlUserState. Overwrite any
+ * previously generated keys for that account in that OtrlUserState.
+ * The FILE* must be open for reading and writing. */
+gcry_error_t otrl_privkey_generate_FILEp(OtrlUserState us, FILE *privf,
+ const char *accountname, const char *protocol)
+{
+ gcry_error_t err;
+ gcry_sexp_t key, parms, privkey;
+ static const char *parmstr = "(genkey (dsa (nbits 4:1024)))";
+ OtrlPrivKey *p;
+
+ if (!privf) return gcry_error(GPG_ERR_NO_ERROR);
+
+ /* Create a DSA key */
+ err = gcry_sexp_new(&parms, parmstr, strlen(parmstr), 0);
+ if (err) {
+ return err;
+ }
+ err = gcry_pk_genkey(&key, parms);
+ gcry_sexp_release(parms);
+ if (err) {
+ return err;
+ }
+
+ /* Extract the privkey */
+ privkey = gcry_sexp_find_token(key, "private-key", 0);
+ gcry_sexp_release(key);
+
+ /* Output the other keys we know */
+ fprintf(privf, "(privkeys\n");
+
+ for (p=us->privkey_root; p; p=p->next) {
+ /* Skip this one if our new key replaces it */
+ if (!strcmp(p->accountname, accountname) &&
+ !strcmp(p->protocol, protocol)) {
+ continue;
+ }
+
+ account_write(privf, p->accountname, p->protocol, p->privkey);
+ }
+ account_write(privf, accountname, protocol, privkey);
+ gcry_sexp_release(privkey);
+ fprintf(privf, ")\n");
+
+ fseek(privf, 0, SEEK_SET);
+
+ return otrl_privkey_read_FILEp(us, privf);
+}
+
+/* Convert a hex character to a value */
+static unsigned int ctoh(char c)
+{
+ if (c >= '0' && c <= '9') return c-'0';
+ if (c >= 'a' && c <= 'f') return c-'a'+10;
+ if (c >= 'A' && c <= 'F') return c-'A'+10;
+ return 0; /* Unknown hex char */
+}
+
+/* Read the fingerprint store from a file on disk into the given
+ * OtrlUserState. Use add_app_data to add application data to each
+ * ConnContext so created. */
+gcry_error_t otrl_privkey_read_fingerprints(OtrlUserState us,
+ const char *filename,
+ void (*add_app_data)(void *data, ConnContext *context),
+ void *data)
+{
+ gcry_error_t err;
+ FILE *storef;
+
+ storef = fopen(filename, "rb");
+ if (!storef) {
+ err = gcry_error_from_errno(errno);
+ return err;
+ }
+
+ err = otrl_privkey_read_fingerprints_FILEp(us, storef, add_app_data, data);
+
+ fclose(storef);
+ return err;
+}
+
+/* Read the fingerprint store from a FILE* into the given
+ * OtrlUserState. Use add_app_data to add application data to each
+ * ConnContext so created. The FILE* must be open for reading. */
+gcry_error_t otrl_privkey_read_fingerprints_FILEp(OtrlUserState us,
+ FILE *storef,
+ void (*add_app_data)(void *data, ConnContext *context),
+ void *data)
+{
+ ConnContext *context;
+ char storeline[1000];
+ unsigned char fingerprint[20];
+ size_t maxsize = sizeof(storeline);
+
+ if (!storef) return gcry_error(GPG_ERR_NO_ERROR);
+
+ while(fgets(storeline, maxsize, storef)) {
+ char *username;
+ char *accountname;
+ char *protocol;
+ char *hex;
+ char *trust;
+ char *tab;
+ char *eol;
+ Fingerprint *fng;
+ int i, j;
+ /* Parse the line, which should be of the form:
+ * username\taccountname\tprotocol\t40_hex_nybbles\n */
+ username = storeline;
+ tab = strchr(username, '\t');
+ if (!tab) continue;
+ *tab = '\0';
+
+ accountname = tab + 1;
+ tab = strchr(accountname, '\t');
+ if (!tab) continue;
+ *tab = '\0';
+
+ protocol = tab + 1;
+ tab = strchr(protocol, '\t');
+ if (!tab) continue;
+ *tab = '\0';
+
+ hex = tab + 1;
+ tab = strchr(hex, '\t');
+ if (!tab) {
+ eol = strchr(hex, '\r');
+ if (!eol) eol = strchr(hex, '\n');
+ if (!eol) continue;
+ *eol = '\0';
+ trust = NULL;
+ } else {
+ *tab = '\0';
+ trust = tab + 1;
+ eol = strchr(trust, '\r');
+ if (!eol) eol = strchr(trust, '\n');
+ if (!eol) continue;
+ *eol = '\0';
+ }
+
+ if (strlen(hex) != 40) continue;
+ for(j=0, i=0; i<40; i+=2) {
+ fingerprint[j++] = (ctoh(hex[i]) << 4) + (ctoh(hex[i+1]));
+ }
+ /* Get the context for this user, adding if not yet present */
+ context = otrl_context_find(us, username, accountname, protocol,
+ 1, NULL, add_app_data, data);
+ /* Add the fingerprint if not already there */
+ fng = otrl_context_find_fingerprint(context, fingerprint, 1, NULL);
+ otrl_context_set_trust(fng, trust);
+ }
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Write the fingerprint store from a given OtrlUserState to a file on disk. */
+gcry_error_t otrl_privkey_write_fingerprints(OtrlUserState us,
+ const char *filename)
+{
+ gcry_error_t err;
+ FILE *storef;
+
+ storef = fopen(filename, "wb");
+ if (!storef) {
+ err = gcry_error_from_errno(errno);
+ return err;
+ }
+
+ err = otrl_privkey_write_fingerprints_FILEp(us, storef);
+
+ fclose(storef);
+ return err;
+}
+
+/* Write the fingerprint store from a given OtrlUserState to a FILE*.
+ * The FILE* must be open for writing. */
+gcry_error_t otrl_privkey_write_fingerprints_FILEp(OtrlUserState us,
+ FILE *storef)
+{
+ ConnContext *context;
+ Fingerprint *fprint;
+
+ if (!storef) return gcry_error(GPG_ERR_NO_ERROR);
+
+ for(context = us->context_root; context; context = context->next) {
+ /* Don't both with the first (fingerprintless) entry. */
+ for (fprint = context->fingerprint_root.next; fprint;
+ fprint = fprint->next) {
+ int i;
+ fprintf(storef, "%s\t%s\t%s\t", context->username,
+ context->accountname, context->protocol);
+ for(i=0;i<20;++i) {
+ fprintf(storef, "%02x", fprint->fingerprint[i]);
+ }
+ fprintf(storef, "\t%s\n", fprint->trust ? fprint->trust : "");
+ }
+ }
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Fetch the private key from the given OtrlUserState associated with
+ * the given account */
+OtrlPrivKey *otrl_privkey_find(OtrlUserState us, const char *accountname,
+ const char *protocol)
+{
+ OtrlPrivKey *p;
+ if (!accountname || !protocol) return NULL;
+
+ for(p=us->privkey_root; p; p=p->next) {
+ if (!strcmp(p->accountname, accountname) &&
+ !strcmp(p->protocol, protocol)) {
+ return p;
+ }
+ }
+ return NULL;
+}
+
+/* Forget a private key */
+void otrl_privkey_forget(OtrlPrivKey *privkey)
+{
+ free(privkey->accountname);
+ free(privkey->protocol);
+ gcry_sexp_release(privkey->privkey);
+ free(privkey->pubkey_data);
+
+ /* Re-link the list */
+ *(privkey->tous) = privkey->next;
+ if (privkey->next) {
+ privkey->next->tous = privkey->tous;
+ }
+
+ /* Free the privkey struct */
+ free(privkey);
+}
+
+/* Forget all private keys in a given OtrlUserState. */
+void otrl_privkey_forget_all(OtrlUserState us)
+{
+ while (us->privkey_root) {
+ otrl_privkey_forget(us->privkey_root);
+ }
+}
+
+/* Sign data using a private key. The data must be small enough to be
+ * signed (i.e. already hashed, if necessary). The signature will be
+ * returned in *sigp, which the caller must free(). Its length will be
+ * returned in *siglenp. */
+gcry_error_t otrl_privkey_sign(unsigned char **sigp, size_t *siglenp,
+ OtrlPrivKey *privkey, const unsigned char *data, size_t len)
+{
+ gcry_mpi_t r,s, datampi;
+ gcry_sexp_t dsas, rs, ss, sigs, datas;
+ size_t nr, ns;
+ const enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+
+ if (privkey->pubkey_type != OTRL_PUBKEY_TYPE_DSA)
+ return gcry_error(GPG_ERR_INV_VALUE);
+
+ *sigp = malloc(40);
+ if (sigp == NULL) return gcry_error(GPG_ERR_ENOMEM);
+ *siglenp = 40;
+
+ if (len) {
+ gcry_mpi_scan(&datampi, GCRYMPI_FMT_USG, data, len, NULL);
+ } else {
+ datampi = gcry_mpi_set_ui(NULL, 0);
+ }
+ gcry_sexp_build(&datas, NULL, "(%m)", datampi);
+ gcry_mpi_release(datampi);
+ gcry_pk_sign(&sigs, datas, privkey->privkey);
+ gcry_sexp_release(datas);
+ dsas = gcry_sexp_find_token(sigs, "dsa", 0);
+ gcry_sexp_release(sigs);
+ rs = gcry_sexp_find_token(dsas, "r", 0);
+ ss = gcry_sexp_find_token(dsas, "s", 0);
+ gcry_sexp_release(dsas);
+ r = gcry_sexp_nth_mpi(rs, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release(rs);
+ s = gcry_sexp_nth_mpi(ss, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release(ss);
+ gcry_mpi_print(format, NULL, 0, &nr, r);
+ gcry_mpi_print(format, NULL, 0, &ns, s);
+ memset(*sigp, 0, 40);
+ gcry_mpi_print(format, (*sigp)+(20-nr), nr, NULL, r);
+ gcry_mpi_print(format, (*sigp)+20+(20-ns), ns, NULL, s);
+ gcry_mpi_release(r);
+ gcry_mpi_release(s);
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Verify a signature on data using a public key. The data must be
+ * small enough to be signed (i.e. already hashed, if necessary). */
+gcry_error_t otrl_privkey_verify(const unsigned char *sigbuf, size_t siglen,
+ unsigned short pubkey_type, gcry_sexp_t pubs,
+ const unsigned char *data, size_t len)
+{
+ gcry_error_t err;
+ gcry_mpi_t datampi,r,s;
+ gcry_sexp_t datas, sigs;
+
+ if (pubkey_type != OTRL_PUBKEY_TYPE_DSA || siglen != 40)
+ return gcry_error(GPG_ERR_INV_VALUE);
+
+ if (len) {
+ gcry_mpi_scan(&datampi, GCRYMPI_FMT_USG, data, len, NULL);
+ } else {
+ datampi = gcry_mpi_set_ui(NULL, 0);
+ }
+ gcry_sexp_build(&datas, NULL, "(%m)", datampi);
+ gcry_mpi_release(datampi);
+ gcry_mpi_scan(&r, GCRYMPI_FMT_USG, sigbuf, 20, NULL);
+ gcry_mpi_scan(&s, GCRYMPI_FMT_USG, sigbuf+20, 20, NULL);
+ gcry_sexp_build(&sigs, NULL, "(sig-val (dsa (r %m)(s %m)))", r, s);
+ gcry_mpi_release(r);
+ gcry_mpi_release(s);
+
+ err = gcry_pk_verify(sigs, datas, pubs);
+ gcry_sexp_release(datas);
+ gcry_sexp_release(sigs);
+
+ return err;
+}
+gcry_error_t otrl_account_write(FILE *privf, const char *accountname,
+ const char *protocol, gcry_sexp_t privkey) {
+ return account_write(privf, accountname, protocol, privkey);
+} \ No newline at end of file
diff --git a/plugins/MirOTR/libotr/src/privkey.h b/plugins/MirOTR/libotr/src/privkey.h
new file mode 100644
index 0000000000..1208f54993
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/privkey.h
@@ -0,0 +1,115 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __PRIVKEY_H__
+#define __PRIVKEY_H__
+
+#include <stdio.h>
+#include "privkey-t.h"
+#include "userstate.h"
+
+gcry_error_t otrl_account_write(FILE *privf, const char *accountname,
+ const char *protocol, gcry_sexp_t privkey);
+
+/* Convert a 20-byte hash value to a 45-byte human-readable value */
+void otrl_privkey_hash_to_human(char human[45], const unsigned char hash[20]);
+
+/* Calculate a human-readable hash of our DSA public key. Return it in
+ * the passed fingerprint buffer. Return NULL on error, or a pointer to
+ * the given buffer on success. */
+char *otrl_privkey_fingerprint(OtrlUserState us, char fingerprint[45],
+ const char *accountname, const char *protocol);
+
+/* Calculate a raw hash of our DSA public key. Return it in the passed
+ * fingerprint buffer. Return NULL on error, or a pointer to the given
+ * buffer on success. */
+unsigned char *otrl_privkey_fingerprint_raw(OtrlUserState us,
+ unsigned char hash[20], const char *accountname, const char *protocol);
+
+/* Read a sets of private DSA keys from a file on disk into the given
+ * OtrlUserState. */
+gcry_error_t otrl_privkey_read(OtrlUserState us, const char *filename);
+
+/* Read a sets of private DSA keys from a FILE* into the given
+ * OtrlUserState. The FILE* must be open for reading. */
+gcry_error_t otrl_privkey_read_FILEp(OtrlUserState us, FILE *privf);
+
+/* Generate a private DSA key for a given account, storing it into a
+ * file on disk, and loading it into the given OtrlUserState. Overwrite any
+ * previously generated keys for that account in that OtrlUserState. */
+gcry_error_t otrl_privkey_generate(OtrlUserState us, const char *filename,
+ const char *accountname, const char *protocol);
+
+/* Generate a private DSA key for a given account, storing it into a
+ * FILE*, and loading it into the given OtrlUserState. Overwrite any
+ * previously generated keys for that account in that OtrlUserState.
+ * The FILE* must be open for reading and writing. */
+gcry_error_t otrl_privkey_generate_FILEp(OtrlUserState us, FILE *privf,
+ const char *accountname, const char *protocol);
+
+/* Read the fingerprint store from a file on disk into the given
+ * OtrlUserState. Use add_app_data to add application data to each
+ * ConnContext so created. */
+gcry_error_t otrl_privkey_read_fingerprints(OtrlUserState us,
+ const char *filename,
+ void (*add_app_data)(void *data, ConnContext *context),
+ void *data);
+
+/* Read the fingerprint store from a FILE* into the given
+ * OtrlUserState. Use add_app_data to add application data to each
+ * ConnContext so created. The FILE* must be open for reading. */
+gcry_error_t otrl_privkey_read_fingerprints_FILEp(OtrlUserState us,
+ FILE *storef,
+ void (*add_app_data)(void *data, ConnContext *context),
+ void *data);
+
+/* Write the fingerprint store from a given OtrlUserState to a file on disk. */
+gcry_error_t otrl_privkey_write_fingerprints(OtrlUserState us,
+ const char *filename);
+
+/* Write the fingerprint store from a given OtrlUserState to a FILE*.
+ * The FILE* must be open for writing. */
+gcry_error_t otrl_privkey_write_fingerprints_FILEp(OtrlUserState us,
+ FILE *storef);
+
+/* Fetch the private key from the given OtrlUserState associated with
+ * the given account */
+OtrlPrivKey *otrl_privkey_find(OtrlUserState us, const char *accountname,
+ const char *protocol);
+
+/* Forget a private key */
+void otrl_privkey_forget(OtrlPrivKey *privkey);
+
+/* Forget all private keys in a given OtrlUserState. */
+void otrl_privkey_forget_all(OtrlUserState us);
+
+/* Sign data using a private key. The data must be small enough to be
+ * signed (i.e. already hashed, if necessary). The signature will be
+ * returned in *sigp, which the caller must free(). Its length will be
+ * returned in *siglenp. */
+gcry_error_t otrl_privkey_sign(unsigned char **sigp, size_t *siglenp,
+ OtrlPrivKey *privkey, const unsigned char *data, size_t len);
+
+/* Verify a signature on data using a public key. The data must be
+ * small enough to be signed (i.e. already hashed, if necessary). */
+gcry_error_t otrl_privkey_verify(const unsigned char *sigbuf, size_t siglen,
+ unsigned short pubkey_type, gcry_sexp_t pubs,
+ const unsigned char *data, size_t len);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/proto.c b/plugins/MirOTR/libotr/src/proto.c
new file mode 100644
index 0000000000..307ab047ff
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/proto.c
@@ -0,0 +1,906 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* OTR Protocol implementation. This file should be independent of
+ * gaim, so that it can be used to make other clients. */
+
+/* system headers */
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+/* libgcrypt headers */
+#include <gcrypt.h>
+
+/* libotr headers */
+#include "b64.h"
+#include "privkey.h"
+#include "proto.h"
+#include "mem.h"
+#include "version.h"
+#include "tlv.h"
+#include "serial.h"
+
+/* For now, we need to know the API version the client is using so that
+ * we don't use any UI callbacks it hasn't set. */
+unsigned int otrl_api_version = 0;
+
+/* Initialize the OTR library. Pass the version of the API you are
+ * using. */
+void otrl_init(unsigned int ver_major, unsigned int ver_minor,
+ unsigned int ver_sub)
+{
+ unsigned int api_version;
+
+ /* The major versions have to match, and you can't be using a newer
+ * minor version than we expect. */
+ if (ver_major != OTRL_VERSION_MAJOR || ver_minor > OTRL_VERSION_MINOR) {
+ fprintf(stderr, "Expected libotr API version %u.%u.%u incompatible "
+ "with actual version %u.%u.%u. Aborting.\n",
+ ver_major, ver_minor, ver_sub,
+ OTRL_VERSION_MAJOR, OTRL_VERSION_MINOR, OTRL_VERSION_SUB);
+ exit(1);
+ }
+
+ /* Set the API version. If we get called multiple times for some
+ * reason, take the smallest value. */
+ api_version = (ver_major << 16) | (ver_minor << 8) | (ver_sub);
+ if (otrl_api_version == 0 || otrl_api_version > api_version) {
+ otrl_api_version = api_version;
+ }
+
+ /* Initialize the memory module */
+ otrl_mem_init();
+
+ /* Initialize the DH module */
+ otrl_dh_init();
+
+ /* Initialize the SM module */
+ otrl_sm_init();
+}
+
+/* Return a pointer to a static string containing the version number of
+ * the OTR library. */
+const char *otrl_version(void)
+{
+ return OTRL_VERSION;
+}
+
+/* Store some MAC keys to be revealed later */
+static gcry_error_t reveal_macs(ConnContext *context,
+ DH_sesskeys *sess1, DH_sesskeys *sess2)
+{
+ unsigned int numnew = sess1->rcvmacused + sess1->sendmacused +
+ sess2->rcvmacused + sess2->sendmacused;
+ unsigned int newnumsaved;
+ unsigned char *newmacs;
+
+ /* Is there anything to do? */
+ if (numnew == 0) return gcry_error(GPG_ERR_NO_ERROR);
+
+ newnumsaved = context->numsavedkeys + numnew;
+ newmacs = realloc(context->saved_mac_keys,
+ newnumsaved * 20);
+ if (!newmacs) {
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ if (sess1->rcvmacused) {
+ memmove(newmacs + context->numsavedkeys * 20, sess1->rcvmackey, 20);
+ context->numsavedkeys++;
+ }
+ if (sess1->sendmacused) {
+ memmove(newmacs + context->numsavedkeys * 20, sess1->sendmackey, 20);
+ context->numsavedkeys++;
+ }
+ if (sess2->rcvmacused) {
+ memmove(newmacs + context->numsavedkeys * 20, sess2->rcvmackey, 20);
+ context->numsavedkeys++;
+ }
+ if (sess2->sendmacused) {
+ memmove(newmacs + context->numsavedkeys * 20, sess2->sendmackey, 20);
+ context->numsavedkeys++;
+ }
+ context->saved_mac_keys = newmacs;
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Make a new DH key for us, and rotate old old ones. Be sure to keep
+ * the sesskeys array in sync. */
+static gcry_error_t rotate_dh_keys(ConnContext *context)
+{
+ gcry_error_t err;
+
+ /* Rotate the keypair */
+ otrl_dh_keypair_free(&(context->our_old_dh_key));
+ memmove(&(context->our_old_dh_key), &(context->our_dh_key),
+ sizeof(DH_keypair));
+
+ /* Rotate the session keys */
+ err = reveal_macs(context, &(context->sesskeys[1][0]),
+ &(context->sesskeys[1][1]));
+ if (err) return err;
+ otrl_dh_session_free(&(context->sesskeys[1][0]));
+ otrl_dh_session_free(&(context->sesskeys[1][1]));
+ memmove(&(context->sesskeys[1][0]), &(context->sesskeys[0][0]),
+ sizeof(DH_sesskeys));
+ memmove(&(context->sesskeys[1][1]), &(context->sesskeys[0][1]),
+ sizeof(DH_sesskeys));
+
+ /* Create a new DH key */
+ otrl_dh_gen_keypair(DH1536_GROUP_ID, &(context->our_dh_key));
+ context->our_keyid++;
+
+ /* Make the session keys */
+ if (context->their_y) {
+ err = otrl_dh_session(&(context->sesskeys[0][0]),
+ &(context->our_dh_key), context->their_y);
+ if (err) return err;
+ } else {
+ otrl_dh_session_blank(&(context->sesskeys[0][0]));
+ }
+ if (context->their_old_y) {
+ err = otrl_dh_session(&(context->sesskeys[0][1]),
+ &(context->our_dh_key), context->their_old_y);
+ if (err) return err;
+ } else {
+ otrl_dh_session_blank(&(context->sesskeys[0][1]));
+ }
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Rotate in a new DH public key for our correspondent. Be sure to keep
+ * the sesskeys array in sync. */
+static gcry_error_t rotate_y_keys(ConnContext *context, gcry_mpi_t new_y)
+{
+ gcry_error_t err;
+
+ /* Rotate the public key */
+ gcry_mpi_release(context->their_old_y);
+ context->their_old_y = context->their_y;
+
+ /* Rotate the session keys */
+ err = reveal_macs(context, &(context->sesskeys[0][1]),
+ &(context->sesskeys[1][1]));
+ if (err) return err;
+ otrl_dh_session_free(&(context->sesskeys[0][1]));
+ otrl_dh_session_free(&(context->sesskeys[1][1]));
+ memmove(&(context->sesskeys[0][1]), &(context->sesskeys[0][0]),
+ sizeof(DH_sesskeys));
+ memmove(&(context->sesskeys[1][1]), &(context->sesskeys[1][0]),
+ sizeof(DH_sesskeys));
+
+ /* Copy in the new public key */
+ context->their_y = gcry_mpi_copy(new_y);
+ context->their_keyid++;
+
+ /* Make the session keys */
+ err = otrl_dh_session(&(context->sesskeys[0][0]),
+ &(context->our_dh_key), context->their_y);
+ if (err) return err;
+ err = otrl_dh_session(&(context->sesskeys[1][0]),
+ &(context->our_old_dh_key), context->their_y);
+ if (err) return err;
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Return a pointer to a newly-allocated OTR query message, customized
+ * with our name. The caller should free() the result when he's done
+ * with it. */
+char *otrl_proto_default_query_msg(const char *ourname, OtrlPolicy policy)
+{
+ char *msg;
+ int v1_supported, v2_supported;
+ const char *version_tag;
+ /* Don't use g_strdup_printf here, because someone (not us) is going
+ * to free() the *message pointer, not g_free() it. We can't
+ * require that they g_free() it, because this pointer will probably
+ * get passed to the main IM application for processing (and
+ * free()ing). */
+ const char *format = "?OTR%s\n<b>%s</b> has requested an "
+ "<a href=\"http://otr.cypherpunks.ca/\">Off-the-Record "
+ "private conversation</a>. However, you do not have a plugin "
+ "to support that.\nSee <a href=\"http://otr.cypherpunks.ca/\">"
+ "http://otr.cypherpunks.ca/</a> for more information.";
+
+ /* Figure out the version tag */
+ v1_supported = (policy & OTRL_POLICY_ALLOW_V1);
+ v2_supported = (policy & OTRL_POLICY_ALLOW_V2);
+ if (v1_supported) {
+ if (v2_supported) {
+ version_tag = "?v2?";
+ } else {
+ version_tag = "?";
+ }
+ } else {
+ if (v2_supported) {
+ version_tag = "v2?";
+ } else {
+ version_tag = "v?";
+ }
+ }
+
+ /* Remove two "%s", add '\0' */
+ msg = malloc(strlen(format) + strlen(version_tag) + strlen(ourname) - 3);
+ if (!msg) return NULL;
+ sprintf(msg, format, version_tag, ourname);
+ return msg;
+}
+
+/* Return the best version of OTR support by both sides, given an OTR
+ * Query Message and the local policy. */
+unsigned int otrl_proto_query_bestversion(const char *querymsg,
+ OtrlPolicy policy)
+{
+ char *otrtag;
+ unsigned int query_versions = 0;
+
+ otrtag = strstr(querymsg, "?OTR");
+ otrtag += 4;
+ if (*otrtag == '?') {
+ query_versions = (1<<0);
+ ++otrtag;
+ }
+ if (*otrtag == 'v') {
+ for(++otrtag; *otrtag && *otrtag != '?'; ++otrtag) {
+ switch(*otrtag) {
+ case '2':
+ query_versions |= (1<<1);
+ break;
+ }
+ }
+ }
+
+ if ((policy & OTRL_POLICY_ALLOW_V2) && (query_versions & (1<<1))) {
+ return 2;
+ }
+ if ((policy & OTRL_POLICY_ALLOW_V1) && (query_versions & (1<<0))) {
+ return 1;
+ }
+ return 0;
+}
+
+/* Locate any whitespace tag in this message, and return the best
+ * version of OTR support on both sides. Set *starttagp and *endtagp to
+ * the start and end of the located tag, so that it can be snipped out. */
+unsigned int otrl_proto_whitespace_bestversion(const char *msg,
+ const char **starttagp, const char **endtagp, OtrlPolicy policy)
+{
+ const char *starttag, *endtag;
+ unsigned int query_versions = 0;
+
+ *starttagp = NULL;
+ *endtagp = NULL;
+
+ starttag = strstr(msg, OTRL_MESSAGE_TAG_BASE);
+ if (!starttag) return 0;
+
+ endtag = starttag + strlen(OTRL_MESSAGE_TAG_BASE);
+
+ /* Look for groups of 8 spaces and/or tabs */
+ while(1) {
+ int i;
+ int allwhite = 1;
+ for(i=0;i<8;++i) {
+ if (endtag[i] != ' ' && endtag[i] != '\t') {
+ allwhite = 0;
+ break;
+ }
+ }
+ if (allwhite) {
+ if (!strncmp(endtag, OTRL_MESSAGE_TAG_V1, 8)) {
+ query_versions |= (1<<0);
+ }
+ if (!strncmp(endtag, OTRL_MESSAGE_TAG_V2, 8)) {
+ query_versions |= (1<<1);
+ }
+ endtag += 8;
+ } else {
+ break;
+ }
+ }
+
+ *starttagp = starttag;
+ *endtagp = endtag;
+
+ if ((policy & OTRL_POLICY_ALLOW_V2) && (query_versions & (1<<1))) {
+ return 2;
+ }
+ if ((policy & OTRL_POLICY_ALLOW_V1) && (query_versions & (1<<0))) {
+ return 1;
+ }
+ return 0;
+}
+
+/* Return the Message type of the given message. */
+OtrlMessageType otrl_proto_message_type(const char *message)
+{
+ char *otrtag;
+
+ otrtag = strstr(message, "?OTR");
+
+ if (!otrtag) {
+ if (strstr(message, OTRL_MESSAGE_TAG_BASE)) {
+ return OTRL_MSGTYPE_TAGGEDPLAINTEXT;
+ } else {
+ return OTRL_MSGTYPE_NOTOTR;
+ }
+ }
+
+ if (!strncmp(otrtag, "?OTR?", 5)) return OTRL_MSGTYPE_QUERY;
+ if (!strncmp(otrtag, "?OTRv", 5)) return OTRL_MSGTYPE_QUERY;
+ if (!strncmp(otrtag, "?OTR:AAIC", 9)) return OTRL_MSGTYPE_DH_COMMIT;
+ if (!strncmp(otrtag, "?OTR:AAIK", 9)) return OTRL_MSGTYPE_DH_KEY;
+ if (!strncmp(otrtag, "?OTR:AAIR", 9)) return OTRL_MSGTYPE_REVEALSIG;
+ if (!strncmp(otrtag, "?OTR:AAIS", 9)) return OTRL_MSGTYPE_SIGNATURE;
+ if (!strncmp(otrtag, "?OTR:AAEK", 9)) return OTRL_MSGTYPE_V1_KEYEXCH;
+ if (!strncmp(otrtag, "?OTR:AAED", 9)) return OTRL_MSGTYPE_DATA;
+ if (!strncmp(otrtag, "?OTR:AAID", 9)) return OTRL_MSGTYPE_DATA;
+ if (!strncmp(otrtag, "?OTR Error:", 11)) return OTRL_MSGTYPE_ERROR;
+
+ return OTRL_MSGTYPE_UNKNOWN;
+}
+
+/* Create an OTR Data message. Pass the plaintext as msg, and an
+ * optional chain of TLVs. A newly-allocated string will be returned in
+ * *encmessagep. */
+gcry_error_t otrl_proto_create_data(char **encmessagep, ConnContext *context,
+ const char *msg, const OtrlTLV *tlvs, unsigned char flags)
+{
+ size_t justmsglen = strlen(msg);
+ size_t msglen = justmsglen + 1 + otrl_tlv_seriallen(tlvs);
+ size_t buflen;
+ size_t pubkeylen;
+ unsigned char *buf = NULL;
+ unsigned char *bufp;
+ size_t lenp;
+ DH_sesskeys *sess = &(context->sesskeys[1][0]);
+ gcry_error_t err;
+ size_t reveallen = 20 * context->numsavedkeys;
+ size_t base64len;
+ char *base64buf = NULL;
+ unsigned char *msgbuf = NULL;
+ enum gcry_mpi_format format = GCRYMPI_FMT_USG;
+ char *msgdup;
+ int version = context->protocol_version;
+
+ /* Make sure we're actually supposed to be able to encrypt */
+ if (context->msgstate != OTRL_MSGSTATE_ENCRYPTED ||
+ context->their_keyid == 0) {
+ return gcry_error(GPG_ERR_CONFLICT);
+ }
+
+ /* We need to copy the incoming msg, since it might be an alias for
+ * context->lastmessage, which we'll be freeing soon. */
+ msgdup = gcry_malloc_secure(justmsglen + 1);
+ if (msgdup == NULL) {
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ strcpy(msgdup, msg);
+
+ *encmessagep = NULL;
+
+ /* Header, send keyid, recv keyid, counter, msg len, msg
+ * len of revealed mac keys, revealed mac keys, MAC */
+ buflen = 3 + (version == 2 ? 1 : 0) + 4 + 4 + 8 + 4 + msglen +
+ 4 + reveallen + 20;
+ gcry_mpi_print(format, NULL, 0, &pubkeylen, context->our_dh_key.pub);
+ buflen += pubkeylen + 4;
+ buf = malloc(buflen);
+ msgbuf = gcry_malloc_secure(msglen);
+ if (buf == NULL || msgbuf == NULL) {
+ free(buf);
+ gcry_free(msgbuf);
+ gcry_free(msgdup);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ memmove(msgbuf, msgdup, justmsglen);
+ msgbuf[justmsglen] = '\0';
+ otrl_tlv_serialize(msgbuf + justmsglen + 1, tlvs);
+ bufp = buf;
+ lenp = buflen;
+ if (version == 1) {
+ memcpy(bufp, "\x00\x01\x03", 3); /* header */
+ } else {
+ memcpy(bufp, "\x00\x02\x03", 3); /* header */
+ }
+ debug_data("Header", bufp, 3);
+ bufp += 3; lenp -= 3;
+ if (version == 2) {
+ bufp[0] = flags;
+ bufp += 1; lenp -= 1;
+ }
+ write_int(context->our_keyid-1); /* sender keyid */
+ debug_int("Sender keyid", bufp-4);
+ write_int(context->their_keyid); /* recipient keyid */
+ debug_int("Recipient keyid", bufp-4);
+
+ write_mpi(context->our_dh_key.pub, pubkeylen, "Y"); /* Y */
+
+ otrl_dh_incctr(sess->sendctr);
+ memcpy(bufp, sess->sendctr, 8); /* Counter (top 8 bytes only) */
+ debug_data("Counter", bufp, 8);
+ bufp += 8; lenp -= 8;
+
+ write_int(msglen); /* length of encrypted data */
+ debug_int("Msg len", bufp-4);
+
+ err = gcry_cipher_reset(sess->sendenc);
+ if (err) goto err;
+ err = gcry_cipher_setctr(sess->sendenc, sess->sendctr, 16);
+ if (err) goto err;
+ err = gcry_cipher_encrypt(sess->sendenc, bufp, msglen, msgbuf, msglen);
+ if (err) goto err; /* encrypted data */
+ debug_data("Enc data", bufp, msglen);
+ bufp += msglen;
+ lenp -= msglen;
+
+ gcry_md_reset(sess->sendmac);
+ gcry_md_write(sess->sendmac, buf, bufp-buf);
+ memcpy(bufp, gcry_md_read(sess->sendmac, GCRY_MD_SHA1), 20);
+ debug_data("MAC", bufp, 20);
+ bufp += 20; /* MAC */
+ lenp -= 20;
+
+ write_int(reveallen); /* length of revealed MAC keys */
+ debug_int("Revealed MAC length", bufp-4);
+
+ if (reveallen > 0) {
+ memcpy(bufp, context->saved_mac_keys, reveallen);
+ debug_data("Revealed MAC data", bufp, reveallen);
+ bufp += reveallen; lenp -= reveallen;
+ free(context->saved_mac_keys);
+ context->saved_mac_keys = NULL;
+ context->numsavedkeys = 0;
+ }
+
+ assert(lenp == 0);
+
+ /* Make the base64-encoding. */
+ base64len = ((buflen + 2) / 3) * 4;
+ base64buf = malloc(5 + base64len + 1 + 1);
+ if (base64buf == NULL) {
+ err = gcry_error(GPG_ERR_ENOMEM);
+ goto err;
+ }
+ memcpy(base64buf, "?OTR:", 5);
+ otrl_base64_encode(base64buf+5, buf, buflen);
+ base64buf[5 + base64len] = '.';
+ base64buf[5 + base64len + 1] = '\0';
+
+ free(buf);
+ gcry_free(msgbuf);
+ *encmessagep = base64buf;
+ gcry_free(context->lastmessage);
+ context->lastmessage = NULL;
+ context->may_retransmit = 0;
+ if (msglen > 0) {
+ const char *prefix = "[resent] ";
+ size_t prefixlen = strlen(prefix);
+ if (!strncmp(prefix, msgdup, prefixlen)) {
+ /* The prefix is already there. Don't add it again. */
+ prefix = "";
+ prefixlen = 0;
+ }
+ context->lastmessage = gcry_malloc_secure(prefixlen + justmsglen + 1);
+ if (context->lastmessage) {
+ strcpy(context->lastmessage, prefix);
+ strcat(context->lastmessage, msgdup);
+ }
+ }
+ gcry_free(msgdup);
+ return gcry_error(GPG_ERR_NO_ERROR);
+err:
+ free(buf);
+ gcry_free(msgbuf);
+ gcry_free(msgdup);
+ *encmessagep = NULL;
+ return err;
+}
+
+/* Extract the flags from an otherwise unreadable Data Message. */
+gcry_error_t otrl_proto_data_read_flags(const char *datamsg,
+ unsigned char *flagsp)
+{
+ char *otrtag, *endtag;
+ unsigned char *rawmsg = NULL;
+ unsigned char *bufp;
+ size_t msglen, rawlen, lenp;
+ unsigned char version;
+
+ if (flagsp) *flagsp = 0;
+ otrtag = strstr(datamsg, "?OTR:");
+ if (!otrtag) {
+ goto invval;
+ }
+ endtag = strchr(otrtag, '.');
+ if (endtag) {
+ msglen = endtag-otrtag;
+ } else {
+ msglen = strlen(otrtag);
+ }
+
+ /* Base64-decode the message */
+ rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
+ rawmsg = malloc(rawlen);
+ if (!rawmsg && rawlen > 0) {
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
+
+ bufp = rawmsg;
+ lenp = rawlen;
+
+ require_len(3);
+ if (memcmp(bufp, "\x00\x01\x03", 3) && memcmp(bufp, "\x00\x02\x03", 3)) {
+ /* Invalid header */
+ goto invval;
+ }
+ version = bufp[1];
+ bufp += 3; lenp -= 3;
+
+ if (version == 2) {
+ require_len(1);
+ if (flagsp) *flagsp = bufp[0];
+ bufp += 1; lenp -= 1;
+ }
+
+ free(rawmsg);
+ return gcry_error(GPG_ERR_NO_ERROR);
+
+invval:
+ free(rawmsg);
+ return gcry_error(GPG_ERR_INV_VALUE);
+}
+
+/* Accept an OTR Data Message in datamsg. Decrypt it and put the
+ * plaintext into *plaintextp, and any TLVs into tlvsp. Put any
+ * received flags into *flagsp (if non-NULL). */
+gcry_error_t otrl_proto_accept_data(char **plaintextp, OtrlTLV **tlvsp,
+ ConnContext *context, const char *datamsg, unsigned char *flagsp)
+{
+ char *otrtag, *endtag;
+ gcry_error_t err;
+ unsigned char *rawmsg = NULL;
+ size_t msglen, rawlen, lenp;
+ unsigned char *macstart, *macend;
+ unsigned char *bufp;
+ unsigned int sender_keyid, recipient_keyid;
+ gcry_mpi_t sender_next_y = NULL;
+ unsigned char ctr[8];
+ unsigned int datalen, reveallen;
+ unsigned char *data = NULL;
+ unsigned char *nul = NULL;
+ unsigned char givenmac[20];
+ DH_sesskeys *sess;
+ unsigned char version;
+
+ *plaintextp = NULL;
+ *tlvsp = NULL;
+ if (flagsp) *flagsp = 0;
+ otrtag = strstr(datamsg, "?OTR:");
+ if (!otrtag) {
+ goto invval;
+ }
+ endtag = strchr(otrtag, '.');
+ if (endtag) {
+ msglen = endtag-otrtag;
+ } else {
+ msglen = strlen(otrtag);
+ }
+
+ /* Base64-decode the message */
+ rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
+ rawmsg = malloc(rawlen);
+ if (!rawmsg && rawlen > 0) {
+ err = gcry_error(GPG_ERR_ENOMEM);
+ goto err;
+ }
+ rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
+
+ bufp = rawmsg;
+ lenp = rawlen;
+
+ macstart = bufp;
+ require_len(3);
+ if (memcmp(bufp, "\x00\x01\x03", 3) && memcmp(bufp, "\x00\x02\x03", 3)) {
+ /* Invalid header */
+ goto invval;
+ }
+ version = bufp[1];
+ bufp += 3; lenp -= 3;
+
+ if (version == 2) {
+ require_len(1);
+ if (flagsp) *flagsp = bufp[0];
+ bufp += 1; lenp -= 1;
+ }
+ read_int(sender_keyid);
+ read_int(recipient_keyid);
+ read_mpi(sender_next_y);
+ require_len(8);
+ memcpy(ctr, bufp, 8);
+ bufp += 8; lenp -= 8;
+ read_int(datalen);
+ require_len(datalen);
+ data = malloc(datalen+1);
+ if (!data) {
+ err = gcry_error(GPG_ERR_ENOMEM);
+ goto err;
+ }
+ memcpy(data, bufp, datalen);
+ data[datalen] = '\0';
+ bufp += datalen; lenp -= datalen;
+ macend = bufp;
+ require_len(20);
+ memcpy(givenmac, bufp, 20);
+ bufp += 20; lenp -= 20;
+ read_int(reveallen);
+ require_len(reveallen);
+ /* Just skip over the revealed MAC keys, which we don't need. They
+ * were published for deniability of transcripts. */
+ bufp += reveallen; lenp -= reveallen;
+
+ /* That should be everything */
+ if (lenp != 0) goto invval;
+
+ /* We don't take any action on this message (especially rotating
+ * keys) until we've verified the MAC on this message. To that end,
+ * we need to know which keys this message is claiming to use. */
+ if (context->their_keyid == 0 ||
+ (sender_keyid != context->their_keyid &&
+ sender_keyid != context->their_keyid - 1) ||
+ (recipient_keyid != context->our_keyid &&
+ recipient_keyid != context->our_keyid - 1) ||
+ sender_keyid == 0 || recipient_keyid == 0) {
+ goto conflict;
+ }
+
+ if (sender_keyid == context->their_keyid - 1 &&
+ context->their_old_y == NULL) {
+ goto conflict;
+ }
+
+ /* These are the session keys this message is claiming to use. */
+ sess = &(context->sesskeys
+ [context->our_keyid - recipient_keyid]
+ [context->their_keyid - sender_keyid]);
+
+ gcry_md_reset(sess->rcvmac);
+ gcry_md_write(sess->rcvmac, macstart, macend-macstart);
+ if (memcmp(givenmac, gcry_md_read(sess->rcvmac, GCRY_MD_SHA1), 20)) {
+ /* The MACs didn't match! */
+ goto conflict;
+ }
+ sess->rcvmacused = 1;
+
+ /* Check to see that the counter is increasing; i.e. that this isn't
+ * a replay. */
+ if (otrl_dh_cmpctr(ctr, sess->rcvctr) <= 0) {
+ goto conflict;
+ }
+
+ /* Decrypt the message */
+ memcpy(sess->rcvctr, ctr, 8);
+ err = gcry_cipher_reset(sess->rcvenc);
+ if (err) goto err;
+ err = gcry_cipher_setctr(sess->rcvenc, sess->rcvctr, 16);
+ if (err) goto err;
+ err = gcry_cipher_decrypt(sess->rcvenc, data, datalen, NULL, 0);
+ if (err) goto err;
+
+ /* See if either set of keys needs rotating */
+
+ if (recipient_keyid == context->our_keyid) {
+ /* They're using our most recent key, so generate a new one */
+ err = rotate_dh_keys(context);
+ if (err) goto err;
+ }
+
+ if (sender_keyid == context->their_keyid) {
+ /* They've sent us a new public key */
+ err = rotate_y_keys(context, sender_next_y);
+ if (err) goto err;
+ }
+
+ gcry_mpi_release(sender_next_y);
+ *plaintextp = (char *)data;
+
+ /* See if there are TLVs */
+ nul = data;
+ while (nul < data+datalen && *nul) ++nul;
+ /* If we stopped before the end, skip the NUL we stopped at */
+ if (nul < data+datalen) ++nul;
+ *tlvsp = otrl_tlv_parse(nul, (data+datalen)-nul);
+
+ free(rawmsg);
+ return gcry_error(GPG_ERR_NO_ERROR);
+
+invval:
+ err = gcry_error(GPG_ERR_INV_VALUE);
+ goto err;
+conflict:
+ err = gcry_error(GPG_ERR_CONFLICT);
+ goto err;
+err:
+ gcry_mpi_release(sender_next_y);
+ free(data);
+ free(rawmsg);
+ return err;
+}
+
+/* Accumulate a potential fragment into the current context. */
+OtrlFragmentResult otrl_proto_fragment_accumulate(char **unfragmessagep,
+ ConnContext *context, const char *msg)
+{
+ OtrlFragmentResult res = OTRL_FRAGMENT_INCOMPLETE;
+ const char *tag;
+
+ tag = strstr(msg, "?OTR,");
+ if (tag) {
+ unsigned short n = 0, k = 0;
+ int start = 0, end = 0;
+
+ sscanf(tag, "?OTR,%hu,%hu,%n%*[^,],%n", &k, &n, &start, &end);
+ if (k > 0 && n > 0 && k <= n && start > 0 && end > 0 && start < end) {
+ if (k == 1) {
+ int fraglen = end - start - 1;
+ free(context->fragment);
+ context->fragment = malloc(fraglen + 1);
+ if (fraglen + 1 > fraglen && context->fragment) {
+ memmove(context->fragment, tag + start, fraglen);
+ context->fragment_len = fraglen;
+ context->fragment[context->fragment_len] = '\0';
+ context->fragment_n = n;
+ context->fragment_k = k;
+ } else {
+ free(context->fragment);
+ context->fragment = NULL;
+ context->fragment_len = 0;
+ context->fragment_n = 0;
+ context->fragment_k = 0;
+ }
+ } else if (n == context->fragment_n &&
+ k == context->fragment_k + 1) {
+ int fraglen = end - start - 1;
+ char *newfrag = realloc(context->fragment,
+ context->fragment_len + fraglen + 1);
+ if (context->fragment_len + fraglen + 1 > fraglen && newfrag) {
+ context->fragment = newfrag;
+ memmove(context->fragment + context->fragment_len,
+ tag + start, fraglen);
+ context->fragment_len += fraglen;
+ context->fragment[context->fragment_len] = '\0';
+ context->fragment_k = k;
+ } else {
+ free(context->fragment);
+ context->fragment = NULL;
+ context->fragment_len = 0;
+ context->fragment_n = 0;
+ context->fragment_k = 0;
+ }
+ } else {
+ free(context->fragment);
+ context->fragment = NULL;
+ context->fragment_len = 0;
+ context->fragment_n = 0;
+ context->fragment_k = 0;
+ }
+ }
+
+ if (context->fragment_n > 0 &&
+ context->fragment_n == context->fragment_k) {
+ /* We've got a complete message */
+ *unfragmessagep = context->fragment;
+ context->fragment = NULL;
+ context->fragment_len = 0;
+ context->fragment_n = 0;
+ context->fragment_k = 0;
+ res = OTRL_FRAGMENT_COMPLETE;
+ }
+ } else {
+ /* Unfragmented message, so discard any fragment we may have */
+ free(context->fragment);
+ context->fragment = NULL;
+ context->fragment_len = 0;
+ context->fragment_n = 0;
+ context->fragment_k = 0;
+ res = OTRL_FRAGMENT_UNFRAGMENTED;
+ }
+
+ return res;
+}
+
+/* Create a fragmented message. */
+gcry_error_t otrl_proto_fragment_create(int mms, int fragment_count,
+ char ***fragments, const char *message)
+{
+ char *fragdata;
+ int fragdatalen = 0;
+ unsigned short curfrag = 0;
+ int index = 0;
+ int msglen = strlen(message);
+ int headerlen = 19; /* Should vary by number of msgs */
+
+ char **fragmentarray = malloc(fragment_count * sizeof(char*));
+ if(!fragmentarray) return gcry_error(GPG_ERR_ENOMEM);
+
+ /*
+ * Find the next message fragment and store it in the array.
+ */
+ for(curfrag = 1; curfrag <= fragment_count; curfrag++) {
+ int i;
+ char *fragmentmsg;
+
+ if (msglen - index < mms - headerlen) {
+ fragdatalen = msglen - index;
+ } else {
+ fragdatalen = mms - headerlen;
+ }
+ fragdata = malloc(fragdatalen + 1);
+ if(!fragdata) {
+ for (i=0; i<curfrag-1; free(fragmentarray[i++])) {}
+ free(fragmentarray);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+ strncpy(fragdata, message, fragdatalen);
+ fragdata[fragdatalen] = 0;
+
+ fragmentmsg = malloc(fragdatalen+headerlen+1);
+ if(!fragmentmsg) {
+ for (i=0; i<curfrag-1; free(fragmentarray[i++])) {}
+ free(fragmentarray);
+ free(fragdata);
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+
+ /*
+ * Create the actual fragment and store it in the array
+ */
+ _snprintf(fragmentmsg, fragdatalen + headerlen, "?OTR,%05hu,%05hu,%s,", curfrag, fragment_count, fragdata);
+ fragmentmsg[fragdatalen + headerlen] = 0;
+
+ fragmentarray[curfrag-1] = fragmentmsg;
+
+ free(fragdata);
+ index += fragdatalen;
+ message += fragdatalen;
+ }
+
+ *fragments = fragmentarray;
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Free a string array containing fragment messages. */
+void otrl_proto_fragment_free(char ***fragments, unsigned short arraylen)
+{
+ int i;
+ char **fragmentarray = *fragments;
+ if(fragmentarray) {
+ for(i = 0; i < arraylen; i++)
+ {
+ if(fragmentarray[i]) {
+ free(fragmentarray[i]);
+ }
+ }
+ free(fragmentarray);
+ }
+}
+
diff --git a/plugins/MirOTR/libotr/src/proto.h b/plugins/MirOTR/libotr/src/proto.h
new file mode 100644
index 0000000000..d7b0ae6f90
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/proto.h
@@ -0,0 +1,150 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __PROTO_H__
+#define __PROTO_H__
+
+#include "context.h"
+#include "version.h"
+#include "tlv.h"
+
+/* If we ever see this sequence in a plaintext message, we'll assume the
+ * other side speaks OTR, and try to establish a connection. */
+#define OTRL_MESSAGE_TAG_BASE " \t \t\t\t\t \t \t \t "
+/* The following must each be of length 8 */
+#define OTRL_MESSAGE_TAG_V1 " \t \t \t "
+#define OTRL_MESSAGE_TAG_V2 " \t\t \t "
+
+/* The possible flags contained in a Data Message */
+#define OTRL_MSGFLAGS_IGNORE_UNREADABLE 0x01
+
+typedef unsigned int OtrlPolicy;
+
+#define OTRL_POLICY_ALLOW_V1 0x01
+#define OTRL_POLICY_ALLOW_V2 0x02
+#define OTRL_POLICY_REQUIRE_ENCRYPTION 0x04
+#define OTRL_POLICY_SEND_WHITESPACE_TAG 0x08
+#define OTRL_POLICY_WHITESPACE_START_AKE 0x10
+#define OTRL_POLICY_ERROR_START_AKE 0x20
+
+#define OTRL_POLICY_VERSION_MASK (OTRL_POLICY_ALLOW_V1 | OTRL_POLICY_ALLOW_V2)
+
+/* For v1 compatibility */
+#define OTRL_POLICY_NEVER 0x00
+#define OTRL_POLICY_OPPORTUNISTIC \
+ ( OTRL_POLICY_ALLOW_V1 | \
+ OTRL_POLICY_ALLOW_V2 | \
+ OTRL_POLICY_SEND_WHITESPACE_TAG | \
+ OTRL_POLICY_WHITESPACE_START_AKE | \
+ OTRL_POLICY_ERROR_START_AKE )
+#define OTRL_POLICY_MANUAL \
+ ( OTRL_POLICY_ALLOW_V1 | \
+ OTRL_POLICY_ALLOW_V2 )
+#define OTRL_POLICY_ALWAYS \
+ ( OTRL_POLICY_ALLOW_V1 | \
+ OTRL_POLICY_ALLOW_V2 | \
+ OTRL_POLICY_REQUIRE_ENCRYPTION | \
+ OTRL_POLICY_WHITESPACE_START_AKE | \
+ OTRL_POLICY_ERROR_START_AKE )
+#define OTRL_POLICY_DEFAULT OTRL_POLICY_OPPORTUNISTIC
+
+typedef enum {
+ OTRL_MSGTYPE_NOTOTR,
+ OTRL_MSGTYPE_TAGGEDPLAINTEXT,
+ OTRL_MSGTYPE_QUERY,
+ OTRL_MSGTYPE_DH_COMMIT,
+ OTRL_MSGTYPE_DH_KEY,
+ OTRL_MSGTYPE_REVEALSIG,
+ OTRL_MSGTYPE_SIGNATURE,
+ OTRL_MSGTYPE_V1_KEYEXCH,
+ OTRL_MSGTYPE_DATA,
+ OTRL_MSGTYPE_ERROR,
+ OTRL_MSGTYPE_UNKNOWN
+} OtrlMessageType;
+
+typedef enum {
+ OTRL_FRAGMENT_UNFRAGMENTED,
+ OTRL_FRAGMENT_INCOMPLETE,
+ OTRL_FRAGMENT_COMPLETE
+} OtrlFragmentResult;
+
+typedef enum {
+ OTRL_FRAGMENT_SEND_ALL,
+ OTRL_FRAGMENT_SEND_ALL_BUT_FIRST,
+ OTRL_FRAGMENT_SEND_ALL_BUT_LAST
+} OtrlFragmentPolicy;
+
+/* Initialize the OTR library. Pass the version of the API you are
+ * using. */
+void otrl_init(unsigned int ver_major, unsigned int ver_minor,
+ unsigned int ver_sub);
+
+/* Shortcut */
+#define OTRL_INIT do { \
+ otrl_init(OTRL_VERSION_MAJOR, OTRL_VERSION_MINOR, OTRL_VERSION_SUB); \
+ } while(0)
+
+/* Return a pointer to a static string containing the version number of
+ * the OTR library. */
+const char *otrl_version(void);
+
+/* Return a pointer to a newly-allocated OTR query message, customized
+ * with our name. The caller should free() the result when he's done
+ * with it. */
+char *otrl_proto_default_query_msg(const char *ourname, OtrlPolicy policy);
+
+/* Return the best version of OTR support by both sides, given an OTR
+ * Query Message and the local policy. */
+unsigned int otrl_proto_query_bestversion(const char *querymsg,
+ OtrlPolicy policy);
+
+/* Locate any whitespace tag in this message, and return the best
+ * version of OTR support on both sides. Set *starttagp and *endtagp to
+ * the start and end of the located tag, so that it can be snipped out. */
+unsigned int otrl_proto_whitespace_bestversion(const char *msg,
+ const char **starttagp, const char **endtagp, OtrlPolicy policy);
+
+/* Return the Message type of the given message. */
+OtrlMessageType otrl_proto_message_type(const char *message);
+
+/* Create an OTR Data message. Pass the plaintext as msg, and an
+ * optional chain of TLVs. A newly-allocated string will be returned in
+ * *encmessagep. */
+gcry_error_t otrl_proto_create_data(char **encmessagep, ConnContext *context,
+ const char *msg, const OtrlTLV *tlvs, unsigned char flags);
+
+/* Extract the flags from an otherwise unreadable Data Message. */
+gcry_error_t otrl_proto_data_read_flags(const char *datamsg,
+ unsigned char *flagsp);
+
+/* Accept an OTR Data Message in datamsg. Decrypt it and put the
+ * plaintext into *plaintextp, and any TLVs into tlvsp. Put any
+ * received flags into *flagsp (if non-NULL). */
+gcry_error_t otrl_proto_accept_data(char **plaintextp, OtrlTLV **tlvsp,
+ ConnContext *context, const char *datamsg, unsigned char *flagsp);
+
+/* Accumulate a potential fragment into the current context. */
+OtrlFragmentResult otrl_proto_fragment_accumulate(char **unfragmessagep,
+ ConnContext *context, const char *msg);
+
+gcry_error_t otrl_proto_fragment_create(int mms, int fragment_count,
+ char ***fragments, const char *message);
+
+void otrl_proto_fragment_free(char ***fragments, unsigned short arraylen);
+#endif
diff --git a/plugins/MirOTR/libotr/src/serial.h b/plugins/MirOTR/libotr/src/serial.h
new file mode 100644
index 0000000000..edc31847e1
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/serial.h
@@ -0,0 +1,85 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __SERIAL_H__
+#define __SERIAL_H__
+
+#undef DEBUG
+
+#ifdef DEBUG
+
+#include <stdio.h>
+
+#define debug_data(t,b,l) do { const unsigned char *data = (b); size_t i; \
+ fprintf(stderr, "%s: ", (t)); \
+ for(i=0;i<(l);++i) { \
+ fprintf(stderr, "%02x", data[i]); \
+ } \
+ fprintf(stderr, "\n"); \
+ } while(0)
+
+#define debug_int(t,b) do { const unsigned char *data = (b); \
+ unsigned int v = \
+ (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; \
+ fprintf(stderr, "%s: %u (0x%x)\n", (t), v, v); \
+ } while(0)
+
+#else
+#define debug_data(t,b,l)
+#define debug_int(t,b)
+#endif
+
+#define write_int(x) do { \
+ bufp[0] = ((x) >> 24) & 0xff; \
+ bufp[1] = ((x) >> 16) & 0xff; \
+ bufp[2] = ((x) >> 8) & 0xff; \
+ bufp[3] = (x) & 0xff; \
+ bufp += 4; lenp -= 4; \
+ } while(0)
+
+#define write_mpi(x,nx,dx) do { \
+ write_int(nx); \
+ gcry_mpi_print(format, bufp, lenp, NULL, (x)); \
+ debug_data((dx), bufp, (nx)); \
+ bufp += (nx); lenp -= (nx); \
+ } while(0)
+
+#define require_len(l) do { \
+ if (lenp < (l)) goto invval; \
+ } while(0)
+
+#define read_int(x) do { \
+ require_len(4); \
+ (x) = (bufp[0] << 24) | (bufp[1] << 16) | (bufp[2] << 8) | bufp[3]; \
+ bufp += 4; lenp -= 4; \
+ } while(0)
+
+#define read_mpi(x) do { \
+ size_t mpilen; \
+ read_int(mpilen); \
+ if (mpilen) { \
+ require_len(mpilen); \
+ gcry_mpi_scan(&(x), GCRYMPI_FMT_USG, bufp, mpilen, NULL); \
+ } else { \
+ (x) = gcry_mpi_set_ui(NULL, 0); \
+ } \
+ bufp += mpilen; lenp -= mpilen; \
+ } while(0)
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/sm.c b/plugins/MirOTR/libotr/src/sm.c
new file mode 100644
index 0000000000..535ae2243c
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/sm.c
@@ -0,0 +1,929 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* system headers */
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+
+/* libgcrypt headers */
+#include <gcrypt.h>
+
+/* libotr headers */
+#include "sm.h"
+#include "serial.h"
+
+static const int SM_MSG1_LEN = 6;
+static const int SM_MSG2_LEN = 11;
+static const int SM_MSG3_LEN = 8;
+static const int SM_MSG4_LEN = 3;
+
+/* The modulus p */
+static const char* SM_MODULUS_S = "0x"
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
+ "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
+ "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF";
+/* The order of the group q = (p-1)/2 */
+static const char* SM_ORDER_S = "0x"
+ "7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68"
+ "948127044533E63A0105DF531D89CD9128A5043CC71A026E"
+ "F7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122"
+ "F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6"
+ "F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9E"
+ "E1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AF"
+ "C1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36"
+ "B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF";
+static const char *SM_GENERATOR_S = "0x02";
+static const int SM_MOD_LEN_BITS = 1536;
+static const int SM_MOD_LEN_BYTES = 192;
+
+static gcry_mpi_t SM_MODULUS = NULL;
+static gcry_mpi_t SM_GENERATOR = NULL;
+static gcry_mpi_t SM_ORDER = NULL;
+static gcry_mpi_t SM_MODULUS_MINUS_2 = NULL;
+
+/*
+ * Call this once, at plugin load time. It sets up the modulus and
+ * generator MPIs.
+ */
+void otrl_sm_init(void)
+{
+ gcry_check_version(NULL);
+ gcry_mpi_scan(&SM_MODULUS, GCRYMPI_FMT_HEX, SM_MODULUS_S, 0, NULL);
+ gcry_mpi_scan(&SM_ORDER, GCRYMPI_FMT_HEX, SM_ORDER_S, 0, NULL);
+ gcry_mpi_scan(&SM_GENERATOR, GCRYMPI_FMT_HEX, SM_GENERATOR_S,
+ 0, NULL);
+ SM_MODULUS_MINUS_2 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_sub_ui(SM_MODULUS_MINUS_2, SM_MODULUS, 2);
+}
+
+/*
+ * Initialize the fields of a SM state.
+ */
+void otrl_sm_state_new(OtrlSMState *smst)
+{
+ smst->secret = NULL;
+ smst->x2 = NULL;
+ smst->x3 = NULL;
+ smst->g1 = NULL;
+ smst->g2 = NULL;
+ smst->g3 = NULL;
+ smst->g3o = NULL;
+ smst->p = NULL;
+ smst->q = NULL;
+ smst->pab = NULL;
+ smst->qab = NULL;
+ smst->nextExpected = OTRL_SMP_EXPECT1;
+ smst->received_question = 0;
+ smst->sm_prog_state = OTRL_SMP_PROG_OK;
+}
+
+/*
+ * Initialize the fields of a SM state. Called the first time that
+ * a user begins an SMP session.
+ */
+void otrl_sm_state_init(OtrlSMState *smst)
+{
+ otrl_sm_state_free(smst);
+ smst->secret = gcry_mpi_new(SM_MOD_LEN_BITS);
+ smst->x2 = NULL;
+ smst->x3 = NULL;
+ smst->g1 = gcry_mpi_copy(SM_GENERATOR);
+ smst->g2 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ smst->g3 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ smst->g3o = gcry_mpi_new(SM_MOD_LEN_BITS);
+ smst->p = gcry_mpi_new(SM_MOD_LEN_BITS);
+ smst->q = gcry_mpi_new(SM_MOD_LEN_BITS);
+ smst->pab = gcry_mpi_new(SM_MOD_LEN_BITS);
+ smst->qab = gcry_mpi_new(SM_MOD_LEN_BITS);
+ smst->received_question = 0;
+ smst->sm_prog_state = OTRL_SMP_PROG_OK;
+}
+
+/*
+ * Initialize the fields of a SM message1.
+ * [0] = g2a, [1] = c2, [2] = d2, [3] = g3a, [4] = c3, [5] = d3
+ */
+void otrl_sm_msg1_init(gcry_mpi_t **msg1)
+{
+ gcry_mpi_t *msg = malloc(SM_MSG1_LEN * sizeof(gcry_mpi_t));
+ msg[0] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[1] = NULL;
+ msg[2] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[3] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[4] = NULL;
+ msg[5] = gcry_mpi_new(SM_MOD_LEN_BITS);
+
+ *msg1 = msg;
+}
+
+/*
+ * Initialize the fields of a SM message2.
+ * [0] = g2b, [1] = c2, [2] = d2, [3] = g3b, [4] = c3, [5] = d3
+ * [6] = pb, [7] = qb, [8] = cp, [9] = d5, [10] = d6
+ */
+void otrl_sm_msg2_init(gcry_mpi_t **msg2)
+{
+ gcry_mpi_t *msg = malloc(SM_MSG2_LEN * sizeof(gcry_mpi_t));
+ msg[0] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[1] = NULL;
+ msg[2] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[3] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[4] = NULL;
+ msg[5] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[6] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[7] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[8] = NULL;
+ msg[9] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[10] = gcry_mpi_new(SM_MOD_LEN_BITS);
+
+ *msg2 = msg;
+}
+
+/*
+ * Initialize the fields of a SM message3.
+ * [0] = pa, [1] = qa, [2] = cp, [3] = d5, [4] = d6, [5] = ra,
+ * [6] = cr, [7] = d7
+ */
+void otrl_sm_msg3_init(gcry_mpi_t **msg3)
+{
+ gcry_mpi_t *msg = malloc(SM_MSG3_LEN * sizeof(gcry_mpi_t));
+ msg[0] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[1] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[2] = NULL;
+ msg[3] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[4] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[5] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[6] = NULL;
+ msg[7] = gcry_mpi_new(SM_MOD_LEN_BITS);
+
+ *msg3 = msg;
+}
+
+/*
+ * Initialize the fields of a SM message4.
+ * [0] = rb, [1] = cr, [2] = d7
+ */
+void otrl_sm_msg4_init(gcry_mpi_t **msg4)
+{
+ gcry_mpi_t *msg = malloc(SM_MSG4_LEN * sizeof(gcry_mpi_t));
+ msg[0] = gcry_mpi_new(SM_MOD_LEN_BITS);
+ msg[1] = NULL;
+ msg[2] = gcry_mpi_new(SM_MOD_LEN_BITS);
+
+ *msg4 = msg;
+}
+
+/*
+ * Deallocate the contents of a OtrlSMState (but not the OtrlSMState
+ * itself)
+ */
+void otrl_sm_state_free(OtrlSMState *smst)
+{
+ gcry_mpi_release(smst->secret);
+ gcry_mpi_release(smst->x2);
+ gcry_mpi_release(smst->x3);
+ gcry_mpi_release(smst->g1);
+ gcry_mpi_release(smst->g2);
+ gcry_mpi_release(smst->g3);
+ gcry_mpi_release(smst->g3o);
+ gcry_mpi_release(smst->p);
+ gcry_mpi_release(smst->q);
+ gcry_mpi_release(smst->pab);
+ gcry_mpi_release(smst->qab);
+ otrl_sm_state_new(smst);
+}
+
+/*
+ * Deallocate the contents of a message
+ */
+void otrl_sm_msg_free(gcry_mpi_t **message, int msglen)
+{
+ gcry_mpi_t *msg = *message;
+ int i;
+ for (i=0; i<msglen; i++) {
+ gcry_mpi_release(msg[i]);
+ }
+ free(msg);
+ *message = NULL;
+}
+
+static gcry_mpi_t randomExponent(void)
+{
+ unsigned char *secbuf = NULL;
+ gcry_mpi_t randexpon = NULL;
+
+ /* Generate a random exponent */
+ secbuf = gcry_random_bytes_secure(SM_MOD_LEN_BYTES, GCRY_STRONG_RANDOM);
+ gcry_mpi_scan(&randexpon, GCRYMPI_FMT_USG, secbuf, SM_MOD_LEN_BYTES, NULL);
+ gcry_free(secbuf);
+
+ return randexpon;
+}
+
+/*
+ * Hash one or two mpis. To hash only one mpi, b may be set to NULL.
+ */
+static gcry_error_t otrl_sm_hash(gcry_mpi_t* hash, int version,
+ const gcry_mpi_t a, const gcry_mpi_t b)
+{
+ unsigned char* input;
+ unsigned char output[SM_DIGEST_SIZE];
+ size_t sizea;
+ size_t sizeb;
+ size_t totalsize;
+ unsigned char* dataa;
+ unsigned char* datab;
+
+ gcry_mpi_aprint(GCRYMPI_FMT_USG, &dataa, &sizea, a);
+ totalsize = 1 + 4 + sizea;
+ if (b) {
+ gcry_mpi_aprint(GCRYMPI_FMT_USG, &datab, &sizeb, b);
+ totalsize += 4 + sizeb;
+ } else {
+ sizeb = 0;
+ }
+
+ input = malloc(totalsize);
+ input[0] = (unsigned char)version;
+ input[1] = (unsigned char)((sizea >> 24) & 0xFF);
+ input[2] = (unsigned char)((sizea >> 16) & 0xFF);
+ input[3] = (unsigned char)((sizea >> 8) & 0xFF);
+ input[4] = (unsigned char)(sizea & 0xFF);
+ memmove(input + 5, dataa, sizea);
+ if (b) {
+ input[5 + sizea] = (unsigned char)((sizeb >> 24) & 0xFF);
+ input[6 + sizea] = (unsigned char)((sizeb >> 16) & 0xFF);
+ input[7 + sizea] = (unsigned char)((sizeb >> 8) & 0xFF);
+ input[8 + sizea] = (unsigned char)(sizeb & 0xFF);
+ memmove(input + 9 + sizea, datab, sizeb);
+ }
+
+ gcry_md_hash_buffer(SM_HASH_ALGORITHM, output, input, totalsize);
+ gcry_mpi_scan(hash, GCRYMPI_FMT_USG, output, SM_DIGEST_SIZE, NULL);
+ free(input);
+ input = NULL;
+
+ /* free memory */
+ gcry_free(dataa);
+ if (b) gcry_free(datab);
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* This method should be passed a pointer to an uninitialized buffer,
+ * and a list of mpis with a list length. When returns, the buffer will
+ * point to newly-allocated memory (using malloc) containing a
+ * reversible serialization. */
+static gcry_error_t serialize_mpi_array(unsigned char **buffer, int *buflen,
+ unsigned int count, gcry_mpi_t *mpis)
+{
+ size_t totalsize = 0, lenp, nextsize;
+ unsigned int i, j;
+ size_t *list_sizes = malloc(count * sizeof(size_t));
+ unsigned char **tempbuffer = malloc(count * sizeof(unsigned char *));
+ unsigned char *bufp;
+
+ for (i=0; i<count; i++) {
+ gcry_mpi_aprint(GCRYMPI_FMT_USG, &(tempbuffer[i]), &(list_sizes[i]),
+ mpis[i]);
+ totalsize += list_sizes[i];
+ }
+
+ *buflen = (count+1)*4 + totalsize;
+ *buffer = malloc(*buflen * sizeof(char));
+
+ bufp = *buffer;
+ lenp = totalsize;
+
+ write_int(count);
+ for(i=0; i<count; i++)
+ {
+ nextsize = list_sizes[i];
+ write_int(nextsize);
+
+ for(j=0; j<nextsize; j++)
+ bufp[j] = tempbuffer[i][j];
+
+ bufp += nextsize;
+ lenp -= nextsize;
+ gcry_free(tempbuffer[i]);
+ }
+ free(tempbuffer);
+ free(list_sizes);
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Takes a buffer containing serialized and concatenated mpis
+ * and converts it to an array of gcry_mpi_t structs.
+ * The buffer is assumed to consist of a 4-byte int containing the
+ * number of mpis in the array, followed by {size, data} pairs for
+ * each mpi. If malformed, method returns GCRY_ERROR_INV_VALUE */
+static gcry_error_t unserialize_mpi_array(gcry_mpi_t **mpis,
+ unsigned int expcount, const unsigned char *buffer, const int buflen)
+{
+ int i;
+ int lenp = buflen;
+ unsigned int thecount = 0;
+ const unsigned char* bufp = buffer;
+ *mpis = NULL;
+
+ read_int(thecount);
+ if (thecount != expcount) goto invval;
+
+ *mpis = malloc(thecount * sizeof(gcry_mpi_t));
+
+ for (i=0; i<thecount; i++) {
+ (*mpis)[i] = NULL;
+ }
+
+ for (i=0; i<thecount; i++) {
+ read_mpi((*mpis)[i]);
+ }
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+
+invval:
+ if (*mpis) {
+ for (i=0; i<thecount; i++) {
+ gcry_mpi_release((*mpis)[i]);
+ }
+ free(*mpis);
+ *mpis = NULL;
+ }
+ return gcry_error(GPG_ERR_INV_VALUE);
+}
+
+/* Check that an MPI is in the right range to be a (non-unit) group
+ * element */
+static int check_group_elem(gcry_mpi_t g)
+{
+ if (gcry_mpi_cmp_ui(g, 2) < 0 ||
+ gcry_mpi_cmp(g, SM_MODULUS_MINUS_2) > 0) {
+ return 1;
+ }
+ return 0;
+}
+
+/* Check that an MPI is in the right range to be a (non-zero) exponent */
+static int check_expon(gcry_mpi_t x)
+{
+ if (gcry_mpi_cmp_ui(x, 1) < 0 ||
+ gcry_mpi_cmp(x, SM_ORDER) >= 0) {
+ return 1;
+ }
+ return 0;
+}
+
+/*
+ * Proof of knowledge of a discrete logarithm
+ */
+static gcry_error_t otrl_sm_proof_know_log(gcry_mpi_t *c, gcry_mpi_t *d, const gcry_mpi_t g, const gcry_mpi_t x, int version)
+{
+ gcry_mpi_t r = randomExponent();
+ gcry_mpi_t temp = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_powm(temp, g, r, SM_MODULUS);
+ otrl_sm_hash(c, version, temp, NULL);
+ gcry_mpi_mulm(temp, x, *c, SM_ORDER);
+ gcry_mpi_subm(*d, r, temp, SM_ORDER);
+ gcry_mpi_release(temp);
+ gcry_mpi_release(r);
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/*
+ * Verify a proof of knowledge of a discrete logarithm. Checks that c = h(g^d x^c)
+ */
+static int otrl_sm_check_know_log(const gcry_mpi_t c, const gcry_mpi_t d, const gcry_mpi_t g, const gcry_mpi_t x, int version)
+{
+ int comp;
+
+ gcry_mpi_t gd = gcry_mpi_new(SM_MOD_LEN_BITS); /* g^d */
+ gcry_mpi_t xc = gcry_mpi_new(SM_MOD_LEN_BITS); /* x^c */
+ gcry_mpi_t gdxc = gcry_mpi_new(SM_MOD_LEN_BITS); /* (g^d x^c) */
+ gcry_mpi_t hgdxc = NULL; /* h(g^d x^c) */
+
+ gcry_mpi_powm(gd, g, d, SM_MODULUS);
+ gcry_mpi_powm(xc, x, c, SM_MODULUS);
+ gcry_mpi_mulm(gdxc, gd, xc, SM_MODULUS);
+ otrl_sm_hash(&hgdxc, version, gdxc, NULL);
+
+ comp = gcry_mpi_cmp(hgdxc, c);
+ gcry_mpi_release(gd);
+ gcry_mpi_release(xc);
+ gcry_mpi_release(gdxc);
+ gcry_mpi_release(hgdxc);
+
+ return comp;
+}
+
+/*
+ * Proof of knowledge of coordinates with first components being equal
+ */
+static gcry_error_t otrl_sm_proof_equal_coords(gcry_mpi_t *c, gcry_mpi_t *d1, gcry_mpi_t *d2, const OtrlSMState *state, const gcry_mpi_t r, int version)
+{
+ gcry_mpi_t r1 = randomExponent();
+ gcry_mpi_t r2 = randomExponent();
+ gcry_mpi_t temp1 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_t temp2 = gcry_mpi_new(SM_MOD_LEN_BITS);
+
+ /* Compute the value of c, as c = h(g3^r1, g1^r1 g2^r2) */
+ gcry_mpi_powm(temp1, state->g1, r1, SM_MODULUS);
+ gcry_mpi_powm(temp2, state->g2, r2, SM_MODULUS);
+ gcry_mpi_mulm(temp2, temp1, temp2, SM_MODULUS);
+ gcry_mpi_powm(temp1, state->g3, r1, SM_MODULUS);
+ otrl_sm_hash(c, version, temp1, temp2);
+
+ /* Compute the d values, as d1 = r1 - r c, d2 = r2 - secret c */
+ gcry_mpi_mulm(temp1, r, *c, SM_ORDER);
+ gcry_mpi_subm(*d1, r1, temp1, SM_ORDER);
+
+ gcry_mpi_mulm(temp1, state->secret, *c, SM_ORDER);
+ gcry_mpi_subm(*d2, r2, temp1, SM_ORDER);
+
+ /* All clear */
+ gcry_mpi_release(r1);
+ gcry_mpi_release(r2);
+ gcry_mpi_release(temp1);
+ gcry_mpi_release(temp2);
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/*
+ * Verify a proof of knowledge of coordinates with first components being equal
+ */
+static gcry_error_t otrl_sm_check_equal_coords(const gcry_mpi_t c, const gcry_mpi_t d1, const gcry_mpi_t d2, const gcry_mpi_t p, const gcry_mpi_t q, const OtrlSMState *state, int version)
+{
+ int comp;
+
+ gcry_mpi_t temp1 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_t temp2 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_t temp3 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_t cprime = NULL;
+
+ /* To verify, we test that hash(g3^d1 * p^c, g1^d1 * g2^d2 * q^c) = c
+ * If indeed c = hash(g3^r1, g1^r1 g2^r2), d1 = r1 - r*c,
+ * d2 = r2 - secret*c. And if indeed p = g3^r, q = g1^r * g2^secret
+ * Then we should have that:
+ * hash(g3^d1 * p^c, g1^d1 * g2^d2 * q^c)
+ * = hash(g3^(r1 - r*c + r*c), g1^(r1 - r*c + q*c) *
+ * g2^(r2 - secret*c + secret*c))
+ * = hash(g3^r1, g1^r1 g2^r2)
+ * = c
+ */
+ gcry_mpi_powm(temp2, state->g3, d1, SM_MODULUS);
+ gcry_mpi_powm(temp3, p, c, SM_MODULUS);
+ gcry_mpi_mulm(temp1, temp2, temp3, SM_MODULUS);
+
+ gcry_mpi_powm(temp2, state->g1, d1, SM_MODULUS);
+ gcry_mpi_powm(temp3, state->g2, d2, SM_MODULUS);
+ gcry_mpi_mulm(temp2, temp2, temp3, SM_MODULUS);
+ gcry_mpi_powm(temp3, q, c, SM_MODULUS);
+ gcry_mpi_mulm(temp2, temp3, temp2, SM_MODULUS);
+
+ otrl_sm_hash(&cprime, version, temp1, temp2);
+
+ comp = gcry_mpi_cmp(c, cprime);
+ gcry_mpi_release(temp1);
+ gcry_mpi_release(temp2);
+ gcry_mpi_release(temp3);
+ gcry_mpi_release(cprime);
+
+ return comp;
+}
+
+/*
+ * Proof of knowledge of logs with exponents being equal
+ */
+static gcry_error_t otrl_sm_proof_equal_logs(gcry_mpi_t *c, gcry_mpi_t *d, OtrlSMState *state, int version)
+{
+ gcry_mpi_t r = randomExponent();
+ gcry_mpi_t temp1 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_t temp2 = gcry_mpi_new(SM_MOD_LEN_BITS);
+
+ /* Compute the value of c, as c = h(g1^r, (Qa/Qb)^r) */
+ gcry_mpi_powm(temp1, state->g1, r, SM_MODULUS);
+ gcry_mpi_powm(temp2, state->qab, r, SM_MODULUS);
+ otrl_sm_hash(c, version, temp1, temp2);
+
+ /* Compute the d values, as d = r - x3 c */
+ gcry_mpi_mulm(temp1, state->x3, *c, SM_ORDER);
+ gcry_mpi_subm(*d, r, temp1, SM_ORDER);
+
+ /* All clear */
+ gcry_mpi_release(r);
+ gcry_mpi_release(temp1);
+ gcry_mpi_release(temp2);
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/*
+ * Verify a proof of knowledge of logs with exponents being equal
+ */
+static gcry_error_t otrl_sm_check_equal_logs(const gcry_mpi_t c, const gcry_mpi_t d, const gcry_mpi_t r, const OtrlSMState *state, int version)
+{
+ int comp;
+
+ gcry_mpi_t temp1 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_t temp2 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_t temp3 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_t cprime = NULL;
+
+ /* Here, we recall the exponents used to create g3.
+ * If we have previously seen g3o = g1^x where x is unknown
+ * during the DH exchange to produce g3, then we may proceed with:
+ *
+ * To verify, we test that hash(g1^d * g3o^c, qab^d * r^c) = c
+ * If indeed c = hash(g1^r1, qab^r1), d = r1- x * c
+ * And if indeed r = qab^x
+ * Then we should have that:
+ * hash(g1^d * g3o^c, qab^d r^c)
+ * = hash(g1^(r1 - x*c + x*c), qab^(r1 - x*c + x*c))
+ * = hash(g1^r1, qab^r1)
+ * = c
+ */
+ gcry_mpi_powm(temp2, state->g1, d, SM_MODULUS);
+ gcry_mpi_powm(temp3, state->g3o, c, SM_MODULUS);
+ gcry_mpi_mulm(temp1, temp2, temp3, SM_MODULUS);
+
+ gcry_mpi_powm(temp3, state->qab, d, SM_MODULUS);
+ gcry_mpi_powm(temp2, r, c, SM_MODULUS);
+ gcry_mpi_mulm(temp2, temp3, temp2, SM_MODULUS);
+
+ otrl_sm_hash(&cprime, version, temp1, temp2);
+
+ comp = gcry_mpi_cmp(c, cprime);
+ gcry_mpi_release(temp1);
+ gcry_mpi_release(temp2);
+ gcry_mpi_release(temp3);
+ gcry_mpi_release(cprime);
+
+ return comp;
+}
+
+/* Create first message in SMP exchange. Input is Alice's secret value
+ * which this protocol aims to compare to Bob's. Output is a serialized
+ * mpi array whose elements correspond to the following:
+ * [0] = g2a, Alice's half of DH exchange to determine g2
+ * [1] = c2, [2] = d2, Alice's ZK proof of knowledge of g2a exponent
+ * [3] = g3a, Alice's half of DH exchange to determine g3
+ * [4] = c3, [5] = d3, Alice's ZK proof of knowledge of g3a exponent */
+gcry_error_t otrl_sm_step1(OtrlSMAliceState *astate,
+ const unsigned char* secret, int secretlen,
+ unsigned char** output, int* outputlen)
+{
+ /* Initialize the sm state or update the secret */
+ gcry_mpi_t secret_mpi = NULL;
+ gcry_mpi_t *msg1;
+
+ *output = NULL;
+ *outputlen = 0;
+
+ gcry_mpi_scan(&secret_mpi, GCRYMPI_FMT_USG, secret, secretlen, NULL);
+
+ if (! astate->g1) {
+ otrl_sm_state_init(astate);
+ }
+ gcry_mpi_set(astate->secret, secret_mpi);
+ gcry_mpi_release(secret_mpi);
+ astate->received_question = 0;
+
+ otrl_sm_msg1_init(&msg1);
+
+ astate->x2 = randomExponent();
+ astate->x3 = randomExponent();
+
+ gcry_mpi_powm(msg1[0], astate->g1, astate->x2, SM_MODULUS);
+ otrl_sm_proof_know_log(&(msg1[1]), &(msg1[2]), astate->g1, astate->x2, 1);
+
+ gcry_mpi_powm(msg1[3], astate->g1, astate->x3, SM_MODULUS);
+ otrl_sm_proof_know_log(&(msg1[4]), &(msg1[5]), astate->g1, astate->x3, 2);
+
+ serialize_mpi_array(output, outputlen, SM_MSG1_LEN, msg1);
+ otrl_sm_msg_free(&msg1, SM_MSG1_LEN);
+ astate->sm_prog_state = OTRL_SMP_PROG_OK;
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Receive the first message in SMP exchange, which was generated by
+ * otrl_sm_step1. Input is saved until the user inputs their secret
+ * information. No output. */
+gcry_error_t otrl_sm_step2a(OtrlSMBobState *bstate, const unsigned char* input, const int inputlen, int received_question)
+{
+ gcry_mpi_t *msg1;
+ gcry_error_t err;
+
+ /* Initialize the sm state if needed */
+ if (! bstate->g1) {
+ otrl_sm_state_init(bstate);
+ }
+ bstate->received_question = received_question;
+ bstate->sm_prog_state = OTRL_SMP_PROG_CHEATED;
+
+ /* Read from input to find the mpis */
+ err = unserialize_mpi_array(&msg1, SM_MSG1_LEN, input, inputlen);
+
+ if (err != gcry_error(GPG_ERR_NO_ERROR)) return err;
+
+ if (check_group_elem(msg1[0]) || check_expon(msg1[2]) ||
+ check_group_elem(msg1[3]) || check_expon(msg1[5])) {
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Store Alice's g3a value for later in the protocol */
+ gcry_mpi_set(bstate->g3o, msg1[3]);
+
+ /* Verify Alice's proofs */
+ if (otrl_sm_check_know_log(msg1[1], msg1[2], bstate->g1, msg1[0], 1) ||
+ otrl_sm_check_know_log(msg1[4], msg1[5], bstate->g1, msg1[3], 2)) {
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Create Bob's half of the generators g2 and g3 */
+ bstate->x2 = randomExponent();
+ bstate->x3 = randomExponent();
+
+ /* Combine the two halves from Bob and Alice and determine g2 and g3 */
+ gcry_mpi_powm(bstate->g2, msg1[0], bstate->x2, SM_MODULUS);
+ gcry_mpi_powm(bstate->g3, msg1[3], bstate->x3, SM_MODULUS);
+
+ bstate->sm_prog_state = OTRL_SMP_PROG_OK;
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Create second message in SMP exchange. Input is Bob's secret value.
+ * Information from earlier steps in the exchange is taken from Bob's
+ * state. Output is a serialized mpi array whose elements correspond
+ * to the following:
+ * [0] = g2b, Bob's half of DH exchange to determine g2
+ * [1] = c2, [2] = d2, Bob's ZK proof of knowledge of g2b exponent
+ * [3] = g3b, Bob's half of DH exchange to determine g3
+ * [4] = c3, [5] = d3, Bob's ZK proof of knowledge of g3b exponent
+ * [6] = pb, [7] = qb, Bob's halves of the (Pa/Pb) and (Qa/Qb) values
+ * [8] = cp, [9] = d5, [10] = d6, Bob's ZK proof that pb, qb formed correctly */
+gcry_error_t otrl_sm_step2b(OtrlSMBobState *bstate, const unsigned char* secret, int secretlen, unsigned char **output, int* outputlen)
+{
+ /* Convert the given secret to the proper form and store it */
+ gcry_mpi_t r, qb1, qb2;
+ gcry_mpi_t *msg2;
+ gcry_mpi_t secret_mpi = NULL;
+
+ *output = NULL;
+ *outputlen = 0;
+
+ gcry_mpi_scan(&secret_mpi, GCRYMPI_FMT_USG, secret, secretlen, NULL);
+ gcry_mpi_set(bstate->secret, secret_mpi);
+ gcry_mpi_release(secret_mpi);
+
+ otrl_sm_msg2_init(&msg2);
+
+ gcry_mpi_powm(msg2[0], bstate->g1, bstate->x2, SM_MODULUS);
+ otrl_sm_proof_know_log(&(msg2[1]), &(msg2[2]), bstate->g1, bstate->x2, 3);
+
+ gcry_mpi_powm(msg2[3], bstate->g1, bstate->x3, SM_MODULUS);
+ otrl_sm_proof_know_log(&(msg2[4]), &(msg2[5]), bstate->g1, bstate->x3, 4);
+
+ /* Calculate P and Q values for Bob */
+ r = randomExponent();
+ qb1 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ qb2 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_powm(bstate->p, bstate->g3, r, SM_MODULUS);
+ gcry_mpi_set(msg2[6], bstate->p);
+ gcry_mpi_powm(qb1, bstate->g1, r, SM_MODULUS);
+ gcry_mpi_powm(qb2, bstate->g2, bstate->secret, SM_MODULUS);
+ gcry_mpi_mulm(bstate->q, qb1, qb2, SM_MODULUS);
+ gcry_mpi_set(msg2[7], bstate->q);
+
+ otrl_sm_proof_equal_coords(&(msg2[8]), &(msg2[9]), &(msg2[10]), bstate, r, 5);
+
+ /* Convert to serialized form */
+ serialize_mpi_array(output, outputlen, SM_MSG2_LEN, msg2);
+
+ /* Free up memory for unserialized and intermediate values */
+ gcry_mpi_release(r);
+ gcry_mpi_release(qb1);
+ gcry_mpi_release(qb2);
+ otrl_sm_msg_free(&msg2, SM_MSG2_LEN);
+
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Create third message in SMP exchange. Input is a message generated
+ * by otrl_sm_step2b. Output is a serialized mpi array whose elements
+ * correspond to the following:
+ * [0] = pa, [1] = qa, Alice's halves of the (Pa/Pb) and (Qa/Qb) values
+ * [2] = cp, [3] = d5, [4] = d6, Alice's ZK proof that pa, qa formed correctly
+ * [5] = ra, calculated as (Qa/Qb)^x3 where x3 is the exponent used in g3a
+ * [6] = cr, [7] = d7, Alice's ZK proof that ra is formed correctly */
+gcry_error_t otrl_sm_step3(OtrlSMAliceState *astate, const unsigned char* input, const int inputlen, unsigned char **output, int* outputlen)
+{
+ /* Read from input to find the mpis */
+ gcry_mpi_t r, qa1, qa2, inv;
+ gcry_mpi_t *msg2;
+ gcry_mpi_t *msg3;
+ gcry_error_t err;
+
+ *output = NULL;
+ *outputlen = 0;
+ astate->sm_prog_state = OTRL_SMP_PROG_CHEATED;
+
+ err = unserialize_mpi_array(&msg2, SM_MSG2_LEN, input, inputlen);
+ if (err != gcry_error(GPG_ERR_NO_ERROR)) return err;
+
+ if (check_group_elem(msg2[0]) || check_group_elem(msg2[3]) ||
+ check_group_elem(msg2[6]) || check_group_elem(msg2[7]) ||
+ check_expon(msg2[2]) || check_expon(msg2[5]) ||
+ check_expon(msg2[9]) || check_expon(msg2[10])) {
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ otrl_sm_msg3_init(&msg3);
+
+ /* Store Bob's g3a value for later in the protocol */
+ gcry_mpi_set(astate->g3o, msg2[3]);
+
+ /* Verify Bob's knowledge of discreet log proofs */
+ if (otrl_sm_check_know_log(msg2[1], msg2[2], astate->g1, msg2[0], 3) ||
+ otrl_sm_check_know_log(msg2[4], msg2[5], astate->g1, msg2[3], 4)) {
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Combine the two halves from Bob and Alice and determine g2 and g3 */
+ gcry_mpi_powm(astate->g2, msg2[0], astate->x2, SM_MODULUS);
+ gcry_mpi_powm(astate->g3, msg2[3], astate->x3, SM_MODULUS);
+
+ /* Verify Bob's coordinate equality proof */
+ if (otrl_sm_check_equal_coords(msg2[8], msg2[9], msg2[10], msg2[6], msg2[7], astate, 5))
+ return gcry_error(GPG_ERR_INV_VALUE);
+
+ /* Calculate P and Q values for Alice */
+ r = randomExponent();
+ qa1 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ qa2 = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_powm(astate->p, astate->g3, r, SM_MODULUS);
+ gcry_mpi_set(msg3[0], astate->p);
+ gcry_mpi_powm(qa1, astate->g1, r, SM_MODULUS);
+ gcry_mpi_powm(qa2, astate->g2, astate->secret, SM_MODULUS);
+ gcry_mpi_mulm(astate->q, qa1, qa2, SM_MODULUS);
+ gcry_mpi_set(msg3[1], astate->q);
+
+ otrl_sm_proof_equal_coords(&(msg3[2]), &(msg3[3]), &(msg3[4]), astate, r, 6);
+
+ /* Calculate Ra and proof */
+ inv = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_invm(inv, msg2[6], SM_MODULUS);
+ gcry_mpi_mulm(astate->pab, astate->p, inv, SM_MODULUS);
+ gcry_mpi_invm(inv, msg2[7], SM_MODULUS);
+ gcry_mpi_mulm(astate->qab, astate->q, inv, SM_MODULUS);
+ gcry_mpi_powm(msg3[5], astate->qab, astate->x3, SM_MODULUS);
+ otrl_sm_proof_equal_logs(&(msg3[6]), &(msg3[7]), astate, 7);
+
+ serialize_mpi_array(output, outputlen, SM_MSG3_LEN, msg3);
+ otrl_sm_msg_free(&msg2, SM_MSG2_LEN);
+ otrl_sm_msg_free(&msg3, SM_MSG3_LEN);
+
+ gcry_mpi_release(r);
+ gcry_mpi_release(qa1);
+ gcry_mpi_release(qa2);
+ gcry_mpi_release(inv);
+
+ astate->sm_prog_state = OTRL_SMP_PROG_OK;
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Create final message in SMP exchange. Input is a message generated
+ * by otrl_sm_step3. Output is a serialized mpi array whose elements
+ * correspond to the following:
+ * [0] = rb, calculated as (Qa/Qb)^x3 where x3 is the exponent used in g3b
+ * [1] = cr, [2] = d7, Bob's ZK proof that rb is formed correctly
+ * This method also checks if Alice and Bob's secrets were the same. If
+ * so, it returns NO_ERROR. If the secrets differ, an INV_VALUE error is
+ * returned instead. */
+gcry_error_t otrl_sm_step4(OtrlSMBobState *bstate, const unsigned char* input, const int inputlen, unsigned char **output, int* outputlen)
+{
+ /* Read from input to find the mpis */
+ int comp;
+ gcry_mpi_t inv, rab;
+ gcry_mpi_t *msg3;
+ gcry_mpi_t *msg4;
+ gcry_error_t err;
+ err = unserialize_mpi_array(&msg3, SM_MSG3_LEN, input, inputlen);
+
+ *output = NULL;
+ *outputlen = 0;
+ bstate->sm_prog_state = OTRL_SMP_PROG_CHEATED;
+
+ if (err != gcry_error(GPG_ERR_NO_ERROR)) return err;
+
+ otrl_sm_msg4_init(&msg4);
+
+ if (check_group_elem(msg3[0]) || check_group_elem(msg3[1]) ||
+ check_group_elem(msg3[5]) || check_expon(msg3[3]) ||
+ check_expon(msg3[4]) || check_expon(msg3[7])) {
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Verify Alice's coordinate equality proof */
+ if (otrl_sm_check_equal_coords(msg3[2], msg3[3], msg3[4], msg3[0], msg3[1], bstate, 6))
+ return gcry_error(GPG_ERR_INV_VALUE);
+
+ /* Find Pa/Pb and Qa/Qb */
+ inv = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_invm(inv, bstate->p, SM_MODULUS);
+ gcry_mpi_mulm(bstate->pab, msg3[0], inv, SM_MODULUS);
+ gcry_mpi_invm(inv, bstate->q, SM_MODULUS);
+ gcry_mpi_mulm(bstate->qab, msg3[1], inv, SM_MODULUS);
+
+ /* Verify Alice's log equality proof */
+ if (otrl_sm_check_equal_logs(msg3[6], msg3[7], msg3[5], bstate, 7))
+ return gcry_error(GPG_ERR_INV_VALUE);
+
+ /* Calculate Rb and proof */
+ gcry_mpi_powm(msg4[0], bstate->qab, bstate->x3, SM_MODULUS);
+ otrl_sm_proof_equal_logs(&(msg4[1]), &(msg4[2]), bstate, 8);
+
+ serialize_mpi_array(output, outputlen, SM_MSG4_LEN, msg4);
+
+ /* Calculate Rab and verify that secrets match */
+ rab = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_powm(rab, msg3[5], bstate->x3, SM_MODULUS);
+ comp = gcry_mpi_cmp(rab, bstate->pab);
+
+ /* Clean up everything allocated in this step */
+ otrl_sm_msg_free(&msg3, SM_MSG3_LEN);
+ otrl_sm_msg_free(&msg4, SM_MSG4_LEN);
+ gcry_mpi_release(rab);
+ gcry_mpi_release(inv);
+
+ bstate->sm_prog_state = comp ? OTRL_SMP_PROG_FAILED :
+ OTRL_SMP_PROG_SUCCEEDED;
+
+ if (comp)
+ return gcry_error(GPG_ERR_INV_VALUE);
+ else
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
+
+/* Receives the final SMP message, which was generated in otrl_sm_step.
+ * This method checks if Alice and Bob's secrets were the same. If
+ * so, it returns NO_ERROR. If the secrets differ, an INV_VALUE error is
+ * returned instead. */
+gcry_error_t otrl_sm_step5(OtrlSMAliceState *astate, const unsigned char* input, const int inputlen)
+{
+ /* Read from input to find the mpis */
+ int comp;
+ gcry_mpi_t rab;
+ gcry_mpi_t *msg4;
+ gcry_error_t err;
+ err = unserialize_mpi_array(&msg4, SM_MSG4_LEN, input, inputlen);
+ astate->sm_prog_state = OTRL_SMP_PROG_CHEATED;
+
+ if (err != gcry_error(GPG_ERR_NO_ERROR)) return err;
+
+ if (check_group_elem(msg4[0]) || check_expon(msg4[2])) {
+ return gcry_error(GPG_ERR_INV_VALUE);
+ }
+
+ /* Verify Bob's log equality proof */
+ if (otrl_sm_check_equal_logs(msg4[1], msg4[2], msg4[0], astate, 8))
+ return gcry_error(GPG_ERR_INV_VALUE);
+
+ /* Calculate Rab and verify that secrets match */
+ rab = gcry_mpi_new(SM_MOD_LEN_BITS);
+ gcry_mpi_powm(rab, msg4[0], astate->x3, SM_MODULUS);
+
+ comp = gcry_mpi_cmp(rab, astate->pab);
+ gcry_mpi_release(rab);
+ otrl_sm_msg_free(&msg4, SM_MSG4_LEN);
+
+ astate->sm_prog_state = comp ? OTRL_SMP_PROG_FAILED :
+ OTRL_SMP_PROG_SUCCEEDED;
+
+ if (comp)
+ return gcry_error(GPG_ERR_INV_VALUE);
+ else
+ return gcry_error(GPG_ERR_NO_ERROR);
+}
diff --git a/plugins/MirOTR/libotr/src/sm.h b/plugins/MirOTR/libotr/src/sm.h
new file mode 100644
index 0000000000..2e94f07e64
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/sm.h
@@ -0,0 +1,83 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __SM_H__
+#define __SM_H__
+
+#include <gcrypt.h>
+
+#define SM_HASH_ALGORITHM GCRY_MD_SHA256
+#define SM_DIGEST_SIZE 32
+
+typedef enum {
+ OTRL_SMP_EXPECT1,
+ OTRL_SMP_EXPECT2,
+ OTRL_SMP_EXPECT3,
+ OTRL_SMP_EXPECT4,
+ OTRL_SMP_EXPECT5
+} NextExpectedSMP;
+
+typedef enum {
+ OTRL_SMP_PROG_OK = 0, /* All is going fine so far */
+ OTRL_SMP_PROG_CHEATED = -2, /* Some verification failed */
+ OTRL_SMP_PROG_FAILED = -1, /* The secrets didn't match */
+ OTRL_SMP_PROG_SUCCEEDED = 1 /* The SMP completed successfully */
+} OtrlSMProgState;
+
+typedef struct {
+ gcry_mpi_t secret, x2, x3, g1, g2, g3, g3o, p, q, pab, qab;
+ NextExpectedSMP nextExpected;
+ int received_question; /* 1 if we received a question in an SMP1Q TLV */
+ OtrlSMProgState sm_prog_state;
+} OtrlSMState;
+
+typedef OtrlSMState OtrlSMAliceState;
+typedef OtrlSMState OtrlSMBobState;
+
+/*
+ * Call this once, at plugin load time. It sets up the modulus and
+ * generator MPIs.
+ */
+void otrl_sm_init(void);
+
+/*
+ * Initialize the fields of a SM state.
+ */
+void otrl_sm_state_new(OtrlSMState *smst);
+
+/*
+ * Initialize the fields of a SM state. Called the first time that
+ * a user begins an SMP session.
+ */
+void otrl_sm_state_init(OtrlSMState *smst);
+
+/*
+ * Deallocate the contents of a OtrlSMState (but not the OtrlSMState
+ * itself)
+ */
+void otrl_sm_state_free(OtrlSMState *smst);
+
+gcry_error_t otrl_sm_step1(OtrlSMAliceState *astate, const unsigned char* secret, int secretlen, unsigned char** output, int* outputlen);
+gcry_error_t otrl_sm_step2a(OtrlSMBobState *bstate, const unsigned char* input, const int inputlen, int received_question);
+gcry_error_t otrl_sm_step2b(OtrlSMBobState *bstate, const unsigned char* secret, int secretlen, unsigned char **output, int* outputlen);
+gcry_error_t otrl_sm_step3(OtrlSMAliceState *astate, const unsigned char* input, const int inputlen, unsigned char **output, int* outputlen);
+gcry_error_t otrl_sm_step4(OtrlSMBobState *bstate, const unsigned char* input, const int inputlen, unsigned char **output, int* outputlen);
+gcry_error_t otrl_sm_step5(OtrlSMAliceState *astate, const unsigned char* input, const int inputlen);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/tlv.c b/plugins/MirOTR/libotr/src/tlv.c
new file mode 100644
index 0000000000..0cea7b5fa2
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/tlv.c
@@ -0,0 +1,108 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#include "tlv.h"
+
+/* Make a single TLV, copying the supplied data */
+OtrlTLV *otrl_tlv_new(unsigned short type, unsigned short len,
+ const unsigned char *data)
+{
+ OtrlTLV *tlv = malloc(sizeof(OtrlTLV));
+ assert(tlv != NULL);
+ tlv->type = type;
+ tlv->len = len;
+ tlv->data = malloc(len + 1);
+ assert(tlv->data != NULL);
+ memmove(tlv->data, data, len);
+ tlv->data[tlv->len] = '\0';
+ tlv->next = NULL;
+ return tlv;
+}
+
+/* Construct a chain of TLVs from the given data */
+OtrlTLV *otrl_tlv_parse(const unsigned char *serialized, size_t seriallen)
+{
+ OtrlTLV *tlv = NULL;
+ OtrlTLV **tlvp = &tlv;
+ while (seriallen >= 4) {
+ unsigned short type = (serialized[0] << 8) + serialized[1];
+ unsigned short len = (serialized[2] << 8) + serialized[3];
+ serialized += 4; seriallen -=4;
+ if (seriallen < len) break;
+ *tlvp = otrl_tlv_new(type, len, serialized);
+ serialized += len;
+ seriallen -= len;
+ tlvp = &((*tlvp)->next);
+ }
+ return tlv;
+}
+
+/* Deallocate a chain of TLVs */
+void otrl_tlv_free(OtrlTLV *tlv)
+{
+ while (tlv) {
+ OtrlTLV *next = tlv->next;
+ free(tlv->data);
+ free(tlv);
+ tlv = next;
+ }
+}
+
+/* Find the serialized length of a chain of TLVs */
+size_t otrl_tlv_seriallen(const OtrlTLV *tlv)
+{
+ size_t totlen = 0;
+ while (tlv) {
+ totlen += tlv->len + 4;
+ tlv = tlv->next;
+ }
+ return totlen;
+}
+
+/* Serialize a chain of TLVs. The supplied buffer must already be large
+ * enough. */
+void otrl_tlv_serialize(unsigned char *buf, const OtrlTLV *tlv)
+{
+ while (tlv) {
+ buf[0] = (tlv->type >> 8) & 0xff;
+ buf[1] = tlv->type & 0xff;
+ buf[2] = (tlv->len >> 8) & 0xff;
+ buf[3] = tlv->len & 0xff;
+ buf += 4;
+ memmove(buf, tlv->data, tlv->len);
+ buf += tlv->len;
+ tlv = tlv->next;
+ }
+}
+
+/* Return the first TLV with the given type in the chain, or NULL if one
+ * isn't found. (The tlvs argument isn't const because the return type
+ * needs to be non-const.) */
+OtrlTLV *otrl_tlv_find(OtrlTLV *tlvs, unsigned short type)
+{
+ while (tlvs) {
+ if (tlvs->type == type) return tlvs;
+ tlvs = tlvs->next;
+ }
+ return NULL;
+}
diff --git a/plugins/MirOTR/libotr/src/tlv.h b/plugins/MirOTR/libotr/src/tlv.h
new file mode 100644
index 0000000000..affe0d58e1
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/tlv.h
@@ -0,0 +1,70 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __TLV_H__
+#define __TLV_H__
+
+typedef struct s_OtrlTLV {
+ unsigned short type;
+ unsigned short len;
+ unsigned char *data;
+ struct s_OtrlTLV *next;
+} OtrlTLV;
+
+/* TLV types */
+
+/* This is just padding for the encrypted message, and should be ignored. */
+#define OTRL_TLV_PADDING 0x0000
+
+/* The sender has thrown away his OTR session keys with you */
+#define OTRL_TLV_DISCONNECTED 0x0001
+
+/* The message contains a step in the Socialist Millionaires' Protocol. */
+#define OTRL_TLV_SMP1 0x0002
+#define OTRL_TLV_SMP2 0x0003
+#define OTRL_TLV_SMP3 0x0004
+#define OTRL_TLV_SMP4 0x0005
+#define OTRL_TLV_SMP_ABORT 0x0006
+/* Like OTRL_TLV_SMP1, but there's a question for the buddy at the
+ * beginning */
+#define OTRL_TLV_SMP1Q 0x0007
+
+/* Make a single TLV, copying the supplied data */
+OtrlTLV *otrl_tlv_new(unsigned short type, unsigned short len,
+ const unsigned char *data);
+
+/* Construct a chain of TLVs from the given data */
+OtrlTLV *otrl_tlv_parse(const unsigned char *serialized, size_t seriallen);
+
+/* Deallocate a chain of TLVs */
+void otrl_tlv_free(OtrlTLV *tlv);
+
+/* Find the serialized length of a chain of TLVs */
+size_t otrl_tlv_seriallen(const OtrlTLV *tlv);
+
+/* Serialize a chain of TLVs. The supplied buffer must already be large
+ * enough. */
+void otrl_tlv_serialize(unsigned char *buf, const OtrlTLV *tlv);
+
+/* Return the first TLV with the given type in the chain, or NULL if one
+ * isn't found. (The tlvs argument isn't const because the return type
+ * needs to be non-const.) */
+OtrlTLV *otrl_tlv_find(OtrlTLV *tlvs, unsigned short type);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/userstate.c b/plugins/MirOTR/libotr/src/userstate.c
new file mode 100644
index 0000000000..6de95b8e42
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/userstate.c
@@ -0,0 +1,51 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* system headers */
+#include <stdlib.h>
+
+/* libotr headers */
+#include "context.h"
+#include "privkey.h"
+#include "userstate.h"
+
+/* Create a new OtrlUserState. Most clients will only need one of
+ * these. A OtrlUserState encapsulates the list of known fingerprints
+ * and the list of private keys; if you have separate files for these
+ * things for (say) different users, use different OtrlUserStates. If
+ * you've got only one user, with multiple accounts all stored together
+ * in the same fingerprint store and privkey store files, use just one
+ * OtrlUserState. */
+OtrlUserState otrl_userstate_create(void)
+{
+ OtrlUserState us = malloc(sizeof(struct s_OtrlUserState));
+ if (!us) return NULL;
+ us->context_root = NULL;
+ us->privkey_root = NULL;
+
+ return us;
+}
+
+/* Free a OtrlUserState */
+void otrl_userstate_free(OtrlUserState us)
+{
+ otrl_context_forget_all(us);
+ otrl_privkey_forget_all(us);
+ free(us);
+}
diff --git a/plugins/MirOTR/libotr/src/userstate.h b/plugins/MirOTR/libotr/src/userstate.h
new file mode 100644
index 0000000000..8525df0518
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/userstate.h
@@ -0,0 +1,45 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __USERSTATE_H__
+#define __USERSTATE_H__
+
+typedef struct s_OtrlUserState* OtrlUserState;
+
+#include "context.h"
+#include "privkey-t.h"
+
+struct s_OtrlUserState {
+ ConnContext *context_root;
+ OtrlPrivKey *privkey_root;
+};
+
+/* Create a new OtrlUserState. Most clients will only need one of
+ * these. A OtrlUserState encapsulates the list of known fingerprints
+ * and the list of private keys; if you have separate files for these
+ * things for (say) different users, use different OtrlUserStates. If
+ * you've got only one user, with multiple accounts all stored together
+ * in the same fingerprint store and privkey store files, use just one
+ * OtrlUserState. */
+OtrlUserState otrl_userstate_create(void);
+
+/* Free a OtrlUserState */
+void otrl_userstate_free(OtrlUserState us);
+
+#endif
diff --git a/plugins/MirOTR/libotr/src/version.h b/plugins/MirOTR/libotr/src/version.h
new file mode 100644
index 0000000000..11cb586699
--- /dev/null
+++ b/plugins/MirOTR/libotr/src/version.h
@@ -0,0 +1,29 @@
+/*
+ * Off-the-Record Messaging library
+ * Copyright (C) 2004-2008 Ian Goldberg, Chris Alexander, Nikita Borisov
+ * <otr@cypherpunks.ca>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of version 2.1 of the GNU Lesser General
+ * Public License as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef __VERSION_H__
+#define __VERSION_H__
+
+#define OTRL_VERSION "3.2.0"
+
+#define OTRL_VERSION_MAJOR 3
+#define OTRL_VERSION_MINOR 2
+#define OTRL_VERSION_SUB 0
+
+#endif