diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
| commit | 6bf0a5cb5034a7e684dcc3500e841785237ce2dd (patch) | |
| tree | a68f146d7fa01f0134297619fbe7e33db084e0aa /comm/third_party/libotr/src | |
| parent | Initial commit. (diff) | |
| download | thunderbird-upstream.tar.xz thunderbird-upstream.zip | |
Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'comm/third_party/libotr/src')
31 files changed, 11302 insertions, 0 deletions
diff --git a/comm/third_party/libotr/src/Makefile.am b/comm/third_party/libotr/src/Makefile.am new file mode 100644 index 0000000000..c2146cff8e --- /dev/null +++ b/comm/third_party/libotr/src/Makefile.am @@ -0,0 +1,14 @@ +AM_CPPFLAGS = @LIBGCRYPT_CFLAGS@ + +lib_LTLIBRARIES = libotr.la + +libotr_la_SOURCES = privkey.c context.c proto.c b64.c dh.c mem.c message.c \ + userstate.c tlv.c auth.c sm.c context_priv.c instag.c + +libotr_la_LDFLAGS = -version-info @LIBOTR_LIBTOOL_VERSION@ @LIBS@ @LIBGCRYPT_LIBS@ + +otrincdir = $(includedir)/libotr + +otrinc_HEADERS = b64.h context.h dh.h mem.h message.h privkey.h proto.h \ + version.h userstate.h tlv.h serial.h auth.h sm.h privkey-t.h \ + context_priv.h instag.h diff --git a/comm/third_party/libotr/src/Makefile.in b/comm/third_party/libotr/src/Makefile.in new file mode 100644 index 0000000000..41789c7b66 --- /dev/null +++ b/comm/third_party/libotr/src/Makefile.in @@ -0,0 +1,680 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/config/depcomp $(otrinc_HEADERS) +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/config/libtool.m4 \ + $(top_srcdir)/config/ltoptions.m4 \ + $(top_srcdir)/config/ltsugar.m4 \ + $(top_srcdir)/config/ltversion.m4 \ + $(top_srcdir)/config/lt~obsolete.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(otrincdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +libotr_la_LIBADD = +am_libotr_la_OBJECTS = privkey.lo context.lo proto.lo b64.lo dh.lo \ + mem.lo message.lo userstate.lo tlv.lo auth.lo sm.lo \ + context_priv.lo instag.lo +libotr_la_OBJECTS = $(am_libotr_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libotr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libotr_la_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/config/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libotr_la_SOURCES) +DIST_SOURCES = $(libotr_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +HEADERS = $(otrinc_HEADERS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@ +LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@ +LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBOTR_LIBTOOL_VERSION = @LIBOTR_LIBTOOL_VERSION@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AM_CPPFLAGS = @LIBGCRYPT_CFLAGS@ +lib_LTLIBRARIES = libotr.la +libotr_la_SOURCES = privkey.c context.c proto.c b64.c dh.c mem.c message.c \ + userstate.c tlv.c auth.c sm.c context_priv.c instag.c + +libotr_la_LDFLAGS = -version-info @LIBOTR_LIBTOOL_VERSION@ @LIBS@ @LIBGCRYPT_LIBS@ +otrincdir = $(includedir)/libotr +otrinc_HEADERS = b64.h context.h dh.h mem.h message.h privkey.h proto.h \ + version.h userstate.h tlv.h serial.h auth.h sm.h privkey-t.h \ + context_priv.h instag.h + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libotr.la: $(libotr_la_OBJECTS) $(libotr_la_DEPENDENCIES) $(EXTRA_libotr_la_DEPENDENCIES) + $(AM_V_CCLD)$(libotr_la_LINK) -rpath $(libdir) $(libotr_la_OBJECTS) $(libotr_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/b64.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/context.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/context_priv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/instag.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privkey.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proto.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tlv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/userstate.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-otrincHEADERS: $(otrinc_HEADERS) + @$(NORMAL_INSTALL) + @list='$(otrinc_HEADERS)'; test -n "$(otrincdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(otrincdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(otrincdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(otrincdir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(otrincdir)" || exit $$?; \ + done + +uninstall-otrincHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(otrinc_HEADERS)'; test -n "$(otrincdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(otrincdir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(otrincdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-otrincHEADERS + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES uninstall-otrincHEADERS + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libLTLIBRARIES clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man \ + install-otrincHEADERS install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-libLTLIBRARIES uninstall-otrincHEADERS + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/comm/third_party/libotr/src/auth.c b/comm/third_party/libotr/src/auth.c new file mode 100644 index 0000000000..d0c55057e1 --- /dev/null +++ b/comm/third_party/libotr/src/auth.c @@ -0,0 +1,1573 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* system headers */ +#include <stdlib.h> +#include <string.h> +#include <assert.h> + +/* libotr headers */ +#include "b64.h" +#include "privkey.h" +#include "auth.h" +#include "serial.h" +#include "proto.h" +#include "context.h" +#include "mem.h" + +#if OTRL_DEBUGGING +#include <stdio.h> + +/* Dump the contents of an OtrlAuthInfo to the FILE *f. */ +void otrl_auth_dump(FILE *f, const OtrlAuthInfo *auth) +{ + int i; + + fprintf(f, " Auth info %p:\n", auth); + fprintf(f, " State: %d (%s)\n", auth->authstate, + auth->authstate == OTRL_AUTHSTATE_NONE ? "NONE" : + auth->authstate == OTRL_AUTHSTATE_AWAITING_DHKEY ? "AWAITING_DHKEY" : + auth->authstate == OTRL_AUTHSTATE_AWAITING_REVEALSIG ? + "AWAITING_REVEALSIG" : + auth->authstate == OTRL_AUTHSTATE_AWAITING_SIG ? "AWAITING_SIG" : + auth->authstate == OTRL_AUTHSTATE_V1_SETUP ? "V1_SETUP" : + "INVALID"); + fprintf(f, " Context: %p\n", auth->context); + fprintf(f, " Our keyid: %u\n", auth->our_keyid); + fprintf(f, " Their keyid: %u\n", auth->their_keyid); + fprintf(f, " Their fingerprint: "); + for (i=0;i<20;++i) { + fprintf(f, "%02x", auth->their_fingerprint[i]); + } + fprintf(f, "\n Initiated = %d\n", auth->initiated); + fprintf(f, "\n Proto version = %d\n", auth->protocol_version); + fprintf(f, "\n Lastauthmsg = %s\n", + auth->lastauthmsg ? auth->lastauthmsg : "(nil)"); + fprintf(f, "\n Commit sent time = %ld\n", + (long) auth->commit_sent_time); +} + +#endif + +/* + * Initialize the fields of an OtrlAuthInfo (already allocated). + */ +void otrl_auth_new(struct context *context) +{ + OtrlAuthInfo *auth = &(context->auth); + auth->authstate = OTRL_AUTHSTATE_NONE; + otrl_dh_keypair_init(&(auth->our_dh)); + auth->our_keyid = 0; + auth->encgx = NULL; + auth->encgx_len = 0; + memset(auth->r, 0, 16); + memset(auth->hashgx, 0, 32); + auth->their_pub = NULL; + auth->their_keyid = 0; + auth->enc_c = NULL; + auth->enc_cp = NULL; + auth->mac_m1 = NULL; + auth->mac_m1p = NULL; + auth->mac_m2 = NULL; + auth->mac_m2p = NULL; + memset(auth->their_fingerprint, 0, 20); + auth->initiated = 0; + auth->protocol_version = 0; + memset(auth->secure_session_id, 0, 20); + auth->secure_session_id_len = 0; + auth->lastauthmsg = NULL; + auth->commit_sent_time = 0; + auth->context = context; +} + +/* + * Clear the fields of an OtrlAuthInfo (but leave it allocated). + */ +void otrl_auth_clear(OtrlAuthInfo *auth) +{ + auth->authstate = OTRL_AUTHSTATE_NONE; + otrl_dh_keypair_free(&(auth->our_dh)); + auth->our_keyid = 0; + free(auth->encgx); + auth->encgx = NULL; + auth->encgx_len = 0; + memset(auth->r, 0, 16); + memset(auth->hashgx, 0, 32); + gcry_mpi_release(auth->their_pub); + auth->their_pub = NULL; + auth->their_keyid = 0; + gcry_cipher_close(auth->enc_c); + gcry_cipher_close(auth->enc_cp); + gcry_md_close(auth->mac_m1); + gcry_md_close(auth->mac_m1p); + gcry_md_close(auth->mac_m2); + gcry_md_close(auth->mac_m2p); + auth->enc_c = NULL; + auth->enc_cp = NULL; + auth->mac_m1 = NULL; + auth->mac_m1p = NULL; + auth->mac_m2 = NULL; + auth->mac_m2p = NULL; + memset(auth->their_fingerprint, 0, 20); + auth->initiated = 0; + auth->protocol_version = 0; + memset(auth->secure_session_id, 0, 20); + auth->secure_session_id_len = 0; + free(auth->lastauthmsg); + auth->lastauthmsg = NULL; + auth->commit_sent_time = 0; +} + +/* + * Start a fresh AKE (version 2 or 3) using the given OtrlAuthInfo. Generate + * a fresh DH keypair to use. If no error is returned, the message to + * transmit will be contained in auth->lastauthmsg. + */ +gcry_error_t otrl_auth_start_v23(OtrlAuthInfo *auth, int version) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + const enum gcry_mpi_format format = GCRYMPI_FMT_USG; + size_t npub; + gcry_cipher_hd_t enc = NULL; + unsigned char ctr[16]; + unsigned char *buf, *bufp; + size_t buflen, lenp; + + /* Clear out this OtrlAuthInfo and start over */ + otrl_auth_clear(auth); + auth->initiated = 1; + auth->protocol_version = version; + auth->context->protocol_version = version; + + otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh)); + auth->our_keyid = 1; + + /* Pick an encryption key */ + gcry_randomize(auth->r, 16, GCRY_STRONG_RANDOM); + + /* Allocate space for the encrypted g^x */ + gcry_mpi_print(format, NULL, 0, &npub, auth->our_dh.pub); + auth->encgx = malloc(4+npub); + if (auth->encgx == NULL) goto memerr; + auth->encgx_len = 4+npub; + bufp = auth->encgx; + lenp = auth->encgx_len; + write_mpi(auth->our_dh.pub, npub, "g^x"); + assert(lenp == 0); + + /* Hash g^x */ + gcry_md_hash_buffer(GCRY_MD_SHA256, auth->hashgx, auth->encgx, + auth->encgx_len); + + /* Encrypt g^x using the key r */ + err = gcry_cipher_open(&enc, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR, + GCRY_CIPHER_SECURE); + if (err) goto err; + + err = gcry_cipher_setkey(enc, auth->r, 16); + if (err) goto err; + + memset(ctr, 0, 16); + err = gcry_cipher_setctr(enc, ctr, 16); + if (err) goto err; + + err = gcry_cipher_encrypt(enc, auth->encgx, auth->encgx_len, NULL, 0); + if (err) goto err; + + gcry_cipher_close(enc); + enc = NULL; + + /* Now serialize the message */ + lenp = OTRL_HEADER_LEN + (auth->protocol_version == 3 ? 8 : 0) + 4 + + auth->encgx_len + 4 + 32; + bufp = malloc(lenp); + if (bufp == NULL) goto memerr; + buf = bufp; + buflen = lenp; + + /* Header */ + write_header(auth->protocol_version, '\x02'); + if (auth->protocol_version == 3) { + /* instance tags */ + write_int(auth->context->our_instance); + debug_int("Sender instag", bufp-4); + write_int(auth->context->their_instance); + debug_int("Recipient instag", bufp-4); + } + + /* Encrypted g^x */ + write_int(auth->encgx_len); + debug_int("Enc gx len", bufp-4); + memmove(bufp, auth->encgx, auth->encgx_len); + debug_data("Enc gx", bufp, auth->encgx_len); + bufp += auth->encgx_len; lenp -= auth->encgx_len; + + /* Hashed g^x */ + write_int(32); + debug_int("hashgx len", bufp-4); + memmove(bufp, auth->hashgx, 32); + debug_data("hashgx", bufp, 32); + bufp += 32; lenp -= 32; + + assert(lenp == 0); + + auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen); + free(buf); + if (auth->lastauthmsg == NULL) goto memerr; + auth->authstate = OTRL_AUTHSTATE_AWAITING_DHKEY; + + return err; + +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + otrl_auth_clear(auth); + gcry_cipher_close(enc); + return err; +} + +/* + * Create a D-H Key Message using the our_dh value in the given auth, + * and store it in auth->lastauthmsg. + */ +static gcry_error_t create_key_message(OtrlAuthInfo *auth) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + const enum gcry_mpi_format format = GCRYMPI_FMT_USG; + unsigned char *buf, *bufp; + size_t buflen, lenp; + size_t npub; + + gcry_mpi_print(format, NULL, 0, &npub, auth->our_dh.pub); + buflen = OTRL_HEADER_LEN + (auth->protocol_version == 3 ? 8 : 0) + 4 + npub; + buf = malloc(buflen); + if (buf == NULL) goto memerr; + bufp = buf; + lenp = buflen; + + /* header */ + write_header(auth->protocol_version, '\x0a'); + if (auth->protocol_version == 3) { + /* instance tags */ + write_int(auth->context->our_instance); + debug_int("Sender instag", bufp-4); + write_int(auth->context->their_instance); + debug_int("Recipient instag", bufp-4); + } + + /* g^y */ + write_mpi(auth->our_dh.pub, npub, "g^y"); + + assert(lenp == 0); + + free(auth->lastauthmsg); + auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen); + free(buf); + if (auth->lastauthmsg == NULL) goto memerr; + + return err; + +memerr: + err = gcry_error(GPG_ERR_ENOMEM); + return err; +} + +/* + * Handle an incoming D-H Commit Message. If no error is returned, the + * message to send will be left in auth->lastauthmsg. Generate a fresh + * keypair to use. + */ +gcry_error_t otrl_auth_handle_commit(OtrlAuthInfo *auth, + const char *commitmsg, int version) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + unsigned char *buf = NULL, *bufp = NULL, *encbuf = NULL; + unsigned char hashbuf[32]; + size_t buflen, lenp, enclen, hashlen; + int res; + + /* Are we the auth for the master context? */ + int is_master = (auth->context->m_context == auth->context); + + res = otrl_base64_otr_decode(commitmsg, &buf, &buflen); + if (res == -1) goto memerr; + if (res == -2) goto invval; + + bufp = buf; + lenp = buflen; + + /* Header */ + auth->protocol_version = version; + auth->context->protocol_version = version; + skip_header('\x02'); + + if (version == 3) { + require_len(8); + bufp += 8; lenp -= 8; + } + + /* Encrypted g^x */ + read_int(enclen); + require_len(enclen); + encbuf = malloc(enclen); + if (encbuf == NULL && enclen > 0) goto memerr; + memmove(encbuf, bufp, enclen); + bufp += enclen; lenp -= enclen; + + /* Hashed g^x */ + read_int(hashlen); + if (hashlen != 32) goto invval; + require_len(32); + memmove(hashbuf, bufp, 32); + bufp += 32; lenp -= 32; + + if (lenp != 0) goto invval; + free(buf); + buf = NULL; + + switch(auth->authstate) { + case OTRL_AUTHSTATE_NONE: + case OTRL_AUTHSTATE_AWAITING_SIG: + case OTRL_AUTHSTATE_V1_SETUP: + /* Store the incoming information */ + otrl_auth_clear(auth); + auth->protocol_version = version; + + otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh)); + + auth->our_keyid = 1; + auth->encgx = encbuf; + encbuf = NULL; + auth->encgx_len = enclen; + memmove(auth->hashgx, hashbuf, 32); + + /* Create a D-H Key Message */ + err = create_key_message(auth); + if (err) goto err; + auth->authstate = OTRL_AUTHSTATE_AWAITING_REVEALSIG; + break; + + case OTRL_AUTHSTATE_AWAITING_DHKEY: + /* We sent a D-H Commit Message, and we also received one + * back. If we're the master context, then the keypair in here + * is probably stale; we just kept it around for a little + * while in case some other logged in instance of our buddy + * replied with a DHKEY message. In that case, use the + * incoming parameters. Otherwise, compare the hashgx + * values to see which one wins. + * + * This does NOT use constant time comparison because these + * are two public values thus don't need it. Also, this checks + * which pubkey is larger and not if they are the same. */ + if (!is_master && memcmp(auth->hashgx, hashbuf, 32) > 0) { + /* Ours wins. Ignore the message we received, and just + * resend the same D-H Commit message again. */ + free(encbuf); + encbuf = NULL; + } else { + /* Ours loses. Use the incoming parameters instead. */ + otrl_auth_clear(auth); + auth->protocol_version = version; + otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh)); + auth->our_keyid = 1; + auth->encgx = encbuf; + encbuf = NULL; + auth->encgx_len = enclen; + memmove(auth->hashgx, hashbuf, 32); + + /* Create a D-H Key Message */ + err = create_key_message(auth); + if (err) goto err; + auth->authstate = OTRL_AUTHSTATE_AWAITING_REVEALSIG; + } + break; + case OTRL_AUTHSTATE_AWAITING_REVEALSIG: + /* Use the incoming parameters, but just retransmit the old + * D-H Key Message. */ + free(auth->encgx); + auth->encgx = encbuf; + encbuf = NULL; + auth->encgx_len = enclen; + memmove(auth->hashgx, hashbuf, 32); + break; + } + + return err; + +invval: + err = gcry_error(GPG_ERR_INV_VALUE); + goto err; +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + free(encbuf); + return err; +} + +/* + * Calculate the encrypted part of the Reveal Signature and Signature + * Messages, given a MAC key, an encryption key, two DH public keys, an + * authentication public key (contained in an OtrlPrivKey structure), + * and a keyid. If no error is returned, *authbufp will point to the + * result, and *authlenp will point to its length. + */ +static gcry_error_t calculate_pubkey_auth(unsigned char **authbufp, + size_t *authlenp, gcry_md_hd_t mackey, gcry_cipher_hd_t enckey, + gcry_mpi_t our_dh_pub, gcry_mpi_t their_dh_pub, + OtrlPrivKey *privkey, unsigned int keyid) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + const enum gcry_mpi_format format = GCRYMPI_FMT_USG; + size_t ourpublen, theirpublen, totallen, lenp; + unsigned char *buf = NULL, *bufp = NULL; + unsigned char macbuf[32]; + unsigned char *sigbuf = NULL; + size_t siglen; + + /* How big are the DH public keys? */ + gcry_mpi_print(format, NULL, 0, &ourpublen, our_dh_pub); + gcry_mpi_print(format, NULL, 0, &theirpublen, their_dh_pub); + + /* How big is the total structure to be MAC'd? */ + totallen = 4 + ourpublen + 4 + theirpublen + 2 + privkey->pubkey_datalen + + 4; + buf = malloc(totallen); + if (buf == NULL) goto memerr; + + bufp = buf; + lenp = totallen; + + /* Write the data to be MAC'd */ + write_mpi(our_dh_pub, ourpublen, "Our DH pubkey"); + write_mpi(their_dh_pub, theirpublen, "Their DH pubkey"); + bufp[0] = ((privkey->pubkey_type) >> 8) & 0xff; + bufp[1] = (privkey->pubkey_type) & 0xff; + bufp += 2; lenp -= 2; + memmove(bufp, privkey->pubkey_data, privkey->pubkey_datalen); + debug_data("Pubkey", bufp, privkey->pubkey_datalen); + bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen; + write_int(keyid); + debug_int("Keyid", bufp-4); + + assert(lenp == 0); + + /* Do the MAC */ + gcry_md_reset(mackey); + gcry_md_write(mackey, buf, totallen); + memmove(macbuf, gcry_md_read(mackey, GCRY_MD_SHA256), 32); + + free(buf); + buf = NULL; + + /* Sign the MAC */ + err = otrl_privkey_sign(&sigbuf, &siglen, privkey, macbuf, 32); + if (err) goto err; + + /* Calculate the total size of the structure to be encrypted */ + totallen = 2 + privkey->pubkey_datalen + 4 + siglen; + buf = malloc(totallen); + if (buf == NULL) goto memerr; + bufp = buf; + lenp = totallen; + + /* Write the data to be encrypted */ + bufp[0] = ((privkey->pubkey_type) >> 8) & 0xff; + bufp[1] = (privkey->pubkey_type) & 0xff; + bufp += 2; lenp -= 2; + memmove(bufp, privkey->pubkey_data, privkey->pubkey_datalen); + debug_data("Pubkey", bufp, privkey->pubkey_datalen); + bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen; + write_int(keyid); + debug_int("Keyid", bufp-4); + memmove(bufp, sigbuf, siglen); + debug_data("Signature", bufp, siglen); + bufp += siglen; lenp -= siglen; + free(sigbuf); + sigbuf = NULL; + + assert(lenp == 0); + + /* Now do the encryption */ + err = gcry_cipher_encrypt(enckey, buf, totallen, NULL, 0); + if (err) goto err; + + *authbufp = buf; + buf = NULL; + *authlenp = totallen; + + return err; +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + free(sigbuf); + return err; +} + +/* + * Decrypt the authenticator in the Reveal Signature and Signature + * Messages, given a MAC key, and encryption key, and two DH public + * keys. The fingerprint of the received public key will get put into + * fingerprintbufp, and the received keyid will get put in *keyidp. + * The encrypted data pointed to by authbuf will be decrypted in place. + */ +static gcry_error_t check_pubkey_auth(unsigned char fingerprintbufp[20], + unsigned int *keyidp, unsigned char *authbuf, size_t authlen, + gcry_md_hd_t mackey, gcry_cipher_hd_t enckey, + gcry_mpi_t our_dh_pub, gcry_mpi_t their_dh_pub) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + const enum gcry_mpi_format format = GCRYMPI_FMT_USG; + size_t ourpublen, theirpublen, totallen, lenp; + unsigned char *buf = NULL, *bufp = NULL; + unsigned char macbuf[32]; + unsigned short pubkey_type; + gcry_mpi_t p,q,g,y; + gcry_sexp_t pubs = NULL; + unsigned int received_keyid; + unsigned char *fingerprintstart, *fingerprintend, *sigbuf; + size_t siglen; + + /* Start by decrypting it */ + err = gcry_cipher_decrypt(enckey, authbuf, authlen, NULL, 0); + if (err) goto err; + + bufp = authbuf; + lenp = authlen; + + /* Get the public key and calculate its fingerprint */ + require_len(2); + pubkey_type = (bufp[0] << 8) + bufp[1]; + bufp += 2; lenp -= 2; + if (pubkey_type != OTRL_PUBKEY_TYPE_DSA) goto invval; + fingerprintstart = bufp; + read_mpi(p); + read_mpi(q); + read_mpi(g); + read_mpi(y); + fingerprintend = bufp; + gcry_md_hash_buffer(GCRY_MD_SHA1, fingerprintbufp, + fingerprintstart, fingerprintend-fingerprintstart); + gcry_sexp_build(&pubs, NULL, + "(public-key (dsa (p %m)(q %m)(g %m)(y %m)))", p, q, g, y); + gcry_mpi_release(p); + gcry_mpi_release(q); + gcry_mpi_release(g); + gcry_mpi_release(y); + + /* Get the keyid */ + read_int(received_keyid); + if (received_keyid == 0) goto invval; + + /* Get the signature */ + sigbuf = bufp; + siglen = lenp; + + /* How big are the DH public keys? */ + gcry_mpi_print(format, NULL, 0, &ourpublen, our_dh_pub); + gcry_mpi_print(format, NULL, 0, &theirpublen, their_dh_pub); + + /* Now calculate the message to be MAC'd. */ + totallen = 4 + ourpublen + 4 + theirpublen + 2 + + (fingerprintend - fingerprintstart) + 4; + buf = malloc(totallen); + if (buf == NULL) goto memerr; + + bufp = buf; + lenp = totallen; + + write_mpi(their_dh_pub, theirpublen, "Their DH pubkey"); + write_mpi(our_dh_pub, ourpublen, "Our DH pubkey"); + bufp[0] = (pubkey_type >> 8) & 0xff; + bufp[1] = pubkey_type & 0xff; + bufp += 2; lenp -= 2; + memmove(bufp, fingerprintstart, fingerprintend - fingerprintstart); + debug_data("Pubkey", bufp, fingerprintend - fingerprintstart); + bufp += fingerprintend - fingerprintstart; + lenp -= fingerprintend - fingerprintstart; + write_int(received_keyid); + debug_int("Keyid", bufp-4); + + assert(lenp == 0); + + /* Do the MAC */ + gcry_md_reset(mackey); + gcry_md_write(mackey, buf, totallen); + memmove(macbuf, gcry_md_read(mackey, GCRY_MD_SHA256), 32); + + free(buf); + buf = NULL; + + /* Verify the signature on the MAC */ + err = otrl_privkey_verify(sigbuf, siglen, pubkey_type, pubs, macbuf, 32); + if (err) goto err; + gcry_sexp_release(pubs); + pubs = NULL; + + /* Everything checked out */ + *keyidp = received_keyid; + + return err; +invval: + err = gcry_error(GPG_ERR_INV_VALUE); + goto err; +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + gcry_sexp_release(pubs); + return err; +} + +/* + * Create a Reveal Signature Message using the values in the given auth, + * and store it in auth->lastauthmsg. Use the given privkey to sign the + * message. + */ +static gcry_error_t create_revealsig_message(OtrlAuthInfo *auth, + OtrlPrivKey *privkey) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + unsigned char *buf = NULL, *bufp, *startmac; + size_t buflen, lenp; + + unsigned char *authbuf = NULL; + size_t authlen; + + /* Get the encrypted authenticator */ + err = calculate_pubkey_auth(&authbuf, &authlen, auth->mac_m1, auth->enc_c, + auth->our_dh.pub, auth->their_pub, privkey, auth->our_keyid); + if (err) goto err; + + buflen = OTRL_HEADER_LEN + (auth->protocol_version == 3 ? 8 : 0) + 4 + 16 + + 4 + authlen + 20; + buf = malloc(buflen); + if (buf == NULL) goto memerr; + + bufp = buf; + lenp = buflen; + + /* header */ + write_header(auth->protocol_version, '\x11'); + if (auth->protocol_version == 3) { + /* instance tags */ + write_int(auth->context->our_instance); + debug_int("Sender instag", bufp-4); + write_int(auth->context->their_instance); + debug_int("Recipient instag", bufp-4); + } + + /* r */ + write_int(16); + memmove(bufp, auth->r, 16); + debug_data("r", bufp, 16); + bufp += 16; lenp -= 16; + + /* Encrypted authenticator */ + startmac = bufp; + write_int(authlen); + memmove(bufp, authbuf, authlen); + debug_data("auth", bufp, authlen); + bufp += authlen; lenp -= authlen; + free(authbuf); + authbuf = NULL; + + /* MAC it, but only take the first 20 bytes */ + gcry_md_reset(auth->mac_m2); + gcry_md_write(auth->mac_m2, startmac, bufp - startmac); + memmove(bufp, gcry_md_read(auth->mac_m2, GCRY_MD_SHA256), 20); + debug_data("MAC", bufp, 20); + bufp += 20; lenp -= 20; + + assert(lenp == 0); + + free(auth->lastauthmsg); + auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen); + if (auth->lastauthmsg == NULL) goto memerr; + free(buf); + buf = NULL; + + return err; + +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + free(authbuf); + return err; +} + +/* + * Create a Signature Message using the values in the given auth, and + * store it in auth->lastauthmsg. Use the given privkey to sign the + * message. + */ +static gcry_error_t create_signature_message(OtrlAuthInfo *auth, + OtrlPrivKey *privkey) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + unsigned char *buf = NULL, *bufp, *startmac; + size_t buflen, lenp; + + unsigned char *authbuf = NULL; + size_t authlen; + + /* Get the encrypted authenticator */ + err = calculate_pubkey_auth(&authbuf, &authlen, auth->mac_m1p, + auth->enc_cp, auth->our_dh.pub, auth->their_pub, privkey, + auth->our_keyid); + if (err) goto err; + + buflen = OTRL_HEADER_LEN + (auth->protocol_version == 3 ? 8 : 0) + 4 + + authlen + 20; + buf = malloc(buflen); + if (buf == NULL) goto memerr; + + bufp = buf; + lenp = buflen; + + /* header */ + write_header(auth->protocol_version, '\x12'); + if (auth->protocol_version == 3) { + /* instance tags */ + write_int(auth->context->our_instance); + debug_int("Sender instag", bufp-4); + write_int(auth->context->their_instance); + debug_int("Recipient instag", bufp-4); + } + + /* Encrypted authenticator */ + startmac = bufp; + write_int(authlen); + memmove(bufp, authbuf, authlen); + debug_data("auth", bufp, authlen); + bufp += authlen; lenp -= authlen; + free(authbuf); + authbuf = NULL; + + /* MAC it, but only take the first 20 bytes */ + gcry_md_reset(auth->mac_m2p); + gcry_md_write(auth->mac_m2p, startmac, bufp - startmac); + memmove(bufp, gcry_md_read(auth->mac_m2p, GCRY_MD_SHA256), 20); + debug_data("MAC", bufp, 20); + bufp += 20; lenp -= 20; + + assert(lenp == 0); + + free(auth->lastauthmsg); + auth->lastauthmsg = otrl_base64_otr_encode(buf, buflen); + if (auth->lastauthmsg == NULL) goto memerr; + free(buf); + buf = NULL; + + return err; + +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + free(authbuf); + return err; +} + +/* + * Handle an incoming D-H Key Message. If no error is returned, and + * *havemsgp is 1, the message to sent will be left in auth->lastauthmsg. + * Use the given private authentication key to sign messages. + */ +gcry_error_t otrl_auth_handle_key(OtrlAuthInfo *auth, const char *keymsg, + int *havemsgp, OtrlPrivKey *privkey) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + unsigned char *buf = NULL, *bufp = NULL; + size_t buflen, lenp; + gcry_mpi_t incoming_pub = NULL; + int res; + unsigned int msg_version; + + *havemsgp = 0; + + msg_version = otrl_proto_message_version(keymsg); + + res = otrl_base64_otr_decode(keymsg, &buf, &buflen); + if (res == -1) goto memerr; + if (res == -2) goto invval; + + bufp = buf; + lenp = buflen; + + /* Header */ + skip_header('\x0a'); + + if (msg_version == 3) { + require_len(8); + bufp += 8; lenp -= 8; + } + + /* g^y */ + read_mpi(incoming_pub); + + if (lenp != 0) goto invval; + free(buf); + buf = NULL; + + switch(auth->authstate) { + case OTRL_AUTHSTATE_AWAITING_DHKEY: + /* The other party may also be establishing a session with + another instance running a different version. Ignore any + DHKEY messages we aren't expecting. */ + if (msg_version != auth->protocol_version) { + goto err; + } + + /* Store the incoming public key */ + gcry_mpi_release(auth->their_pub); + auth->their_pub = incoming_pub; + incoming_pub = NULL; + + /* Compute the encryption and MAC keys */ + err = otrl_dh_compute_v2_auth_keys(&(auth->our_dh), + auth->their_pub, auth->secure_session_id, + &(auth->secure_session_id_len), + &(auth->enc_c), &(auth->enc_cp), + &(auth->mac_m1), &(auth->mac_m1p), + &(auth->mac_m2), &(auth->mac_m2p)); + if (err) goto err; + + /* Create the Reveal Signature Message */ + err = create_revealsig_message(auth, privkey); + if (err) goto err; + *havemsgp = 1; + auth->authstate = OTRL_AUTHSTATE_AWAITING_SIG; + + break; + + case OTRL_AUTHSTATE_AWAITING_SIG: + if (gcry_mpi_cmp(incoming_pub, auth->their_pub) == 0) { + /* Retransmit the Reveal Signature Message */ + *havemsgp = 1; + } else { + /* Ignore this message */ + *havemsgp = 0; + } + break; + case OTRL_AUTHSTATE_NONE: + case OTRL_AUTHSTATE_AWAITING_REVEALSIG: + case OTRL_AUTHSTATE_V1_SETUP: + /* Ignore this message */ + *havemsgp = 0; + break; + } + + gcry_mpi_release(incoming_pub); + return err; + +invval: + err = gcry_error(GPG_ERR_INV_VALUE); + goto err; +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + gcry_mpi_release(incoming_pub); + return err; +} + +/* + * Handle an incoming Reveal Signature Message. If no error is + * returned, and *havemsgp is 1, the message to be sent will be left in + * auth->lastauthmsg. Use the given private authentication key to sign + * messages. Call the auth_succeeded callback if authentication is + * successful. + */ +gcry_error_t otrl_auth_handle_revealsig(OtrlAuthInfo *auth, + const char *revealmsg, int *havemsgp, OtrlPrivKey *privkey, + gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata), + void *asdata) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + unsigned char *buf = NULL, *bufp = NULL, *gxbuf = NULL; + unsigned char *authstart, *authend, *macstart; + size_t buflen, lenp, rlen, authlen; + gcry_cipher_hd_t enc = NULL; + gcry_mpi_t incoming_pub = NULL; + unsigned char ctr[16], hashbuf[32]; + int res; + unsigned char version; + + *havemsgp = 0; + + res = otrl_base64_otr_decode(revealmsg, &buf, &buflen); + if (res == -1) goto memerr; + if (res == -2) goto invval; + + bufp = buf; + lenp = buflen; + + require_len(3); + version = bufp[1]; + + /* Header */ + skip_header('\x11'); + + if (version == 3) { + require_len(8); + bufp += 8; lenp -= 8; + } + + /* r */ + read_int(rlen); + if (rlen != 16) goto invval; + require_len(rlen); + memmove(auth->r, bufp, rlen); + bufp += rlen; lenp -= rlen; + + /* auth */ + authstart = bufp; + read_int(authlen); + require_len(authlen); + bufp += authlen; lenp -= authlen; + authend = bufp; + + /* MAC */ + require_len(20); + macstart = bufp; + bufp += 20; lenp -= 20; + + if (lenp != 0) goto invval; + + switch(auth->authstate) { + case OTRL_AUTHSTATE_AWAITING_REVEALSIG: + gxbuf = malloc(auth->encgx_len); + if (auth->encgx_len && gxbuf == NULL) goto memerr; + + /* Use r to decrypt the value of g^x we received earlier */ + err = gcry_cipher_open(&enc, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CTR, + GCRY_CIPHER_SECURE); + if (err) goto err; + + err = gcry_cipher_setkey(enc, auth->r, 16); + if (err) goto err; + + memset(ctr, 0, 16); + err = gcry_cipher_setctr(enc, ctr, 16); + if (err) goto err; + + err = gcry_cipher_decrypt(enc, gxbuf, auth->encgx_len, + auth->encgx, auth->encgx_len); + if (err) goto err; + + gcry_cipher_close(enc); + enc = NULL; + + /* Check the hash */ + gcry_md_hash_buffer(GCRY_MD_SHA256, hashbuf, gxbuf, + auth->encgx_len); + /* This isn't comparing secret data, but may as well use the + * constant-time version. */ + if (otrl_mem_differ(hashbuf, auth->hashgx, 32)) goto decfail; + + /* Extract g^x */ + bufp = gxbuf; + lenp = auth->encgx_len; + + read_mpi(incoming_pub); + free(gxbuf); + gxbuf = NULL; + + if (lenp != 0) goto invval; + + gcry_mpi_release(auth->their_pub); + auth->their_pub = incoming_pub; + incoming_pub = NULL; + + /* Compute the encryption and MAC keys */ + err = otrl_dh_compute_v2_auth_keys(&(auth->our_dh), + auth->their_pub, auth->secure_session_id, + &(auth->secure_session_id_len), + &(auth->enc_c), &(auth->enc_cp), + &(auth->mac_m1), &(auth->mac_m1p), + &(auth->mac_m2), &(auth->mac_m2p)); + if (err) goto err; + + /* Check the MAC */ + gcry_md_reset(auth->mac_m2); + gcry_md_write(auth->mac_m2, authstart, authend - authstart); + + if (otrl_mem_differ(macstart, + gcry_md_read(auth->mac_m2, GCRY_MD_SHA256), + 20)) goto invval; + + /* Check the auth */ + err = check_pubkey_auth(auth->their_fingerprint, + &(auth->their_keyid), authstart + 4, + authend - authstart - 4, auth->mac_m1, auth->enc_c, + auth->our_dh.pub, auth->their_pub); + if (err) goto err; + + authstart = NULL; + authend = NULL; + macstart = NULL; + free(buf); + buf = NULL; + + /* Create the Signature Message */ + err = create_signature_message(auth, privkey); + if (err) goto err; + + /* No error? Then we've completed our end of the + * authentication. */ + auth->session_id_half = OTRL_SESSIONID_SECOND_HALF_BOLD; + if (auth_succeeded) err = auth_succeeded(auth, asdata); + *havemsgp = 1; + auth->our_keyid = 0; + auth->authstate = OTRL_AUTHSTATE_NONE; + + break; + case OTRL_AUTHSTATE_NONE: + case OTRL_AUTHSTATE_AWAITING_DHKEY: + case OTRL_AUTHSTATE_AWAITING_SIG: + case OTRL_AUTHSTATE_V1_SETUP: + /* Ignore this message */ + *havemsgp = 0; + free(buf); + buf = NULL; + break; + } + + return err; + +decfail: + err = gcry_error(GPG_ERR_NO_ERROR); + goto err; +invval: + err = gcry_error(GPG_ERR_INV_VALUE); + goto err; +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + free(gxbuf); + gcry_cipher_close(enc); + gcry_mpi_release(incoming_pub); + return err; +} + +/* + * Handle an incoming Signature Message. If no error is returned, and + * *havemsgp is 1, the message to be sent will be left in + * auth->lastauthmsg. Call the auth_succeeded callback if + * authentication is successful. + */ +gcry_error_t otrl_auth_handle_signature(OtrlAuthInfo *auth, + const char *sigmsg, int *havemsgp, + gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata), + void *asdata) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + unsigned char *buf = NULL, *bufp = NULL; + unsigned char *authstart, *authend, *macstart; + size_t buflen, lenp, authlen; + int res; + unsigned char version; + + *havemsgp = 0; + + res = otrl_base64_otr_decode(sigmsg, &buf, &buflen); + if (res == -1) goto memerr; + if (res == -2) goto invval; + + bufp = buf; + lenp = buflen; + + require_len(3); + version = bufp[1]; + + /* Header */ + skip_header('\x12'); + + if (version == 3) { + require_len(8); + bufp += 8; lenp -= 8; + } + + /* auth */ + authstart = bufp; + read_int(authlen); + require_len(authlen); + bufp += authlen; lenp -= authlen; + authend = bufp; + + /* MAC */ + require_len(20); + macstart = bufp; + bufp += 20; lenp -= 20; + + if (lenp != 0) goto invval; + + switch(auth->authstate) { + case OTRL_AUTHSTATE_AWAITING_SIG: + /* Check the MAC */ + gcry_md_reset(auth->mac_m2p); + gcry_md_write(auth->mac_m2p, authstart, authend - authstart); + if (otrl_mem_differ(macstart, + gcry_md_read(auth->mac_m2p, GCRY_MD_SHA256), + 20)) goto invval; + + /* Check the auth */ + err = check_pubkey_auth(auth->their_fingerprint, + &(auth->their_keyid), authstart + 4, + authend - authstart - 4, auth->mac_m1p, auth->enc_cp, + auth->our_dh.pub, auth->their_pub); + if (err) goto err; + + authstart = NULL; + authend = NULL; + macstart = NULL; + free(buf); + buf = NULL; + + /* No error? Then we've completed our end of the + * authentication. */ + auth->session_id_half = OTRL_SESSIONID_FIRST_HALF_BOLD; + if (auth_succeeded) err = auth_succeeded(auth, asdata); + free(auth->lastauthmsg); + auth->lastauthmsg = NULL; + *havemsgp = 0; + auth->our_keyid = 0; + auth->authstate = OTRL_AUTHSTATE_NONE; + + break; + case OTRL_AUTHSTATE_NONE: + case OTRL_AUTHSTATE_AWAITING_DHKEY: + case OTRL_AUTHSTATE_AWAITING_REVEALSIG: + case OTRL_AUTHSTATE_V1_SETUP: + /* Ignore this message */ + *havemsgp = 0; + free(buf); + buf = NULL; + break; + } + + return err; + +invval: + err = gcry_error(GPG_ERR_INV_VALUE); + goto err; +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + return err; +} + +/* Version 1 routines, for compatibility */ + +/* + * Create a verion 1 Key Exchange Message using the values in the given + * auth, and store it in auth->lastauthmsg. Set the Reply field to the + * given value, and use the given privkey to sign the message. + */ +static gcry_error_t create_v1_key_exchange_message(OtrlAuthInfo *auth, + unsigned char reply, OtrlPrivKey *privkey) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + const enum gcry_mpi_format format = GCRYMPI_FMT_USG; + unsigned char *buf = NULL, *bufp = NULL, *sigbuf = NULL; + size_t lenp, ourpublen, totallen, siglen; + unsigned char hashbuf[20]; + + if (privkey->pubkey_type != OTRL_PUBKEY_TYPE_DSA) { + return gpg_error(GPG_ERR_INV_VALUE); + } + + /* How big is the DH public key? */ + gcry_mpi_print(format, NULL, 0, &ourpublen, auth->our_dh.pub); + + totallen = 3 + 1 + privkey->pubkey_datalen + 4 + 4 + ourpublen + 40; + buf = malloc(totallen); + if (buf == NULL) goto memerr; + + bufp = buf; + lenp = totallen; + + memmove(bufp, "\x00\x01\x0a", 3); /* header */ + debug_data("Header", bufp, 3); + bufp += 3; lenp -= 3; + + bufp[0] = reply; + debug_data("Reply", bufp, 1); + bufp += 1; lenp -= 1; + + memmove(bufp, privkey->pubkey_data, privkey->pubkey_datalen); + debug_data("Pubkey", bufp, privkey->pubkey_datalen); + bufp += privkey->pubkey_datalen; lenp -= privkey->pubkey_datalen; + + write_int(auth->our_keyid); + debug_int("Keyid", bufp-4); + + write_mpi(auth->our_dh.pub, ourpublen, "D-H y"); + + /* Hash all the data written so far, and sign the hash */ + gcry_md_hash_buffer(GCRY_MD_SHA1, hashbuf, buf, bufp - buf); + + err = otrl_privkey_sign(&sigbuf, &siglen, privkey, hashbuf, 20); + if (err) goto err; + + if (siglen != 40) goto invval; + memmove(bufp, sigbuf, 40); + debug_data("Signature", bufp, 40); + bufp += 40; lenp -= 40; + free(sigbuf); + sigbuf = NULL; + + assert(lenp == 0); + + free(auth->lastauthmsg); + auth->lastauthmsg = otrl_base64_otr_encode(buf, totallen); + if (auth->lastauthmsg == NULL) goto memerr; + free(buf); + buf = NULL; + + return err; + +invval: + err = gcry_error(GPG_ERR_INV_VALUE); + goto err; +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + free(sigbuf); + return err; +} + +/* + * Start a fresh AKE (version 1) using the given OtrlAuthInfo. If + * our_dh is NULL, generate a fresh DH keypair to use. Otherwise, use a + * copy of the one passed (with the given keyid). Use the given private + * key to sign the message. If no error is returned, the message to + * transmit will be contained in auth->lastauthmsg. + */ +gcry_error_t otrl_auth_start_v1(OtrlAuthInfo *auth, DH_keypair *our_dh, + unsigned int our_keyid, OtrlPrivKey *privkey) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + + /* Clear out this OtrlAuthInfo and start over */ + otrl_auth_clear(auth); + auth->initiated = 1; + auth->protocol_version = 1; + + /* Import the given DH keypair, or else create a fresh one */ + if (our_dh) { + otrl_dh_keypair_copy(&(auth->our_dh), our_dh); + auth->our_keyid = our_keyid; + } else { + otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh)); + auth->our_keyid = 1; + } + + err = create_v1_key_exchange_message(auth, 0, privkey); + if (!err) { + auth->authstate = OTRL_AUTHSTATE_V1_SETUP; + } + + return err; +} + +/* + * Handle an incoming v1 Key Exchange Message. If no error is returned, + * and *havemsgp is 1, the message to be sent will be left in + * auth->lastauthmsg. Use the given private authentication key to sign + * messages. Call the auth_secceeded callback if authentication is + * successful. If non-NULL, use a copy of the given D-H keypair, with + * the given keyid. + */ +gcry_error_t otrl_auth_handle_v1_key_exchange(OtrlAuthInfo *auth, + const char *keyexchmsg, int *havemsgp, OtrlPrivKey *privkey, + DH_keypair *our_dh, unsigned int our_keyid, + gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata), + void *asdata) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + unsigned char *buf = NULL, *bufp = NULL; + unsigned char *fingerprintstart, *fingerprintend; + unsigned char fingerprintbuf[20], hashbuf[20]; + gcry_mpi_t p, q, g, y, received_pub = NULL; + gcry_sexp_t pubs = NULL; + size_t buflen, lenp; + unsigned char received_reply; + unsigned int received_keyid; + int res; + + *havemsgp = 0; + + res = otrl_base64_otr_decode(keyexchmsg, &buf, &buflen); + if (res == -1) goto memerr; + if (res == -2) goto invval; + + bufp = buf; + lenp = buflen; + + /* Header */ + require_len(3); + if (memcmp(bufp, "\x00\x01\x0a", 3)) goto invval; + bufp += 3; lenp -= 3; + + /* Reply */ + require_len(1); + received_reply = bufp[0]; + bufp += 1; lenp -= 1; + + /* Public Key */ + fingerprintstart = bufp; + read_mpi(p); + read_mpi(q); + read_mpi(g); + read_mpi(y); + fingerprintend = bufp; + gcry_md_hash_buffer(GCRY_MD_SHA1, fingerprintbuf, + fingerprintstart, fingerprintend-fingerprintstart); + gcry_sexp_build(&pubs, NULL, + "(public-key (dsa (p %m)(q %m)(g %m)(y %m)))", p, q, g, y); + gcry_mpi_release(p); + gcry_mpi_release(q); + gcry_mpi_release(g); + gcry_mpi_release(y); + + /* keyid */ + read_int(received_keyid); + if (received_keyid == 0) goto invval; + + /* D-H pubkey */ + read_mpi(received_pub); + + /* Verify the signature */ + if (lenp != 40) goto invval; + gcry_md_hash_buffer(GCRY_MD_SHA1, hashbuf, buf, bufp - buf); + err = otrl_privkey_verify(bufp, lenp, OTRL_PUBKEY_TYPE_DSA, + pubs, hashbuf, 20); + if (err) goto err; + gcry_sexp_release(pubs); + pubs = NULL; + free(buf); + buf = NULL; + + if (auth->authstate != OTRL_AUTHSTATE_V1_SETUP && received_reply == 0x01) { + /* They're replying to something we never sent. We must be + * logged in more than once; ignore the message. */ + err = gpg_error(GPG_ERR_NO_ERROR); + goto err; + } + + if (auth->authstate != OTRL_AUTHSTATE_V1_SETUP) { + /* Clear the auth and start over */ + otrl_auth_clear(auth); + } + + /* Everything checked out */ + auth->their_keyid = received_keyid; + gcry_mpi_release(auth->their_pub); + auth->their_pub = received_pub; + received_pub = NULL; + memmove(auth->their_fingerprint, fingerprintbuf, 20); + + if (received_reply == 0x01) { + /* Don't send a reply to this. */ + *havemsgp = 0; + } else { + /* Import the given DH keypair, or else create a fresh one */ + if (our_dh) { + otrl_dh_keypair_copy(&(auth->our_dh), our_dh); + auth->our_keyid = our_keyid; + } else if (auth->our_keyid == 0) { + otrl_dh_gen_keypair(DH1536_GROUP_ID, &(auth->our_dh)); + auth->our_keyid = 1; + } + + /* Reply with our own Key Exchange Message */ + err = create_v1_key_exchange_message(auth, 1, privkey); + if (err) goto err; + *havemsgp = 1; + } + + /* Compute the session id */ + err = otrl_dh_compute_v1_session_id(&(auth->our_dh), + auth->their_pub, auth->secure_session_id, + &(auth->secure_session_id_len), + &(auth->session_id_half)); + if (err) goto err; + + /* We've completed our end of the authentication */ + auth->protocol_version = 1; + if (auth_succeeded) err = auth_succeeded(auth, asdata); + auth->our_keyid = 0; + auth->authstate = OTRL_AUTHSTATE_NONE; + + return err; + +invval: + err = gcry_error(GPG_ERR_INV_VALUE); + goto err; +memerr: + err = gcry_error(GPG_ERR_ENOMEM); +err: + free(buf); + gcry_sexp_release(pubs); + gcry_mpi_release(received_pub); + return err; +} + +/* + * Copy relevant information from the master OtrlAuthInfo to an + * instance OtrlAuthInfo in response to a D-H Key with a new + * instance. The fields copied will depend on the state of the + * master auth. + */ +void otrl_auth_copy_on_key(OtrlAuthInfo *m_auth, OtrlAuthInfo *auth) +{ + switch(m_auth->authstate) { + case OTRL_AUTHSTATE_AWAITING_DHKEY: + case OTRL_AUTHSTATE_AWAITING_SIG: + /* Copy our D-H Commit information to the new instance */ + otrl_dh_keypair_free(&(auth->our_dh)); + auth->initiated = m_auth->initiated; + otrl_dh_keypair_copy(&(auth->our_dh), &(m_auth->our_dh)); + auth->our_keyid = m_auth->our_keyid; + memmove(auth->r, m_auth->r, 16); + if (auth->encgx) free(auth->encgx); + auth->encgx = malloc(m_auth->encgx_len); + memmove(auth->encgx, m_auth->encgx, m_auth->encgx_len); + memmove(auth->hashgx, m_auth->hashgx, 32); + + auth->authstate = OTRL_AUTHSTATE_AWAITING_DHKEY; + break; + + default: + /* This bad state will be detected and handled later */ + break; + } +} + +#ifdef OTRL_TESTING_AUTH +#include "mem.h" +#include "privkey.h" + +#define CHECK_ERR if (err) { printf("Error: %s\n", gcry_strerror(err)); \ + return 1; } + +static gcry_error_t starting(const OtrlAuthInfo *auth, void *asdata) +{ + char *name = asdata; + + fprintf(stderr, "\nStarting ENCRYPTED mode for %s (v%d).\n", + name, auth->protocol_version); + + fprintf(stderr, "\nour_dh (%d):", auth->our_keyid); + gcry_mpi_dump(auth->our_dh.pub); + fprintf(stderr, "\ntheir_pub (%d):", auth->their_keyid); + gcry_mpi_dump(auth->their_pub); + + debug_data("\nTheir fingerprint", auth->their_fingerprint, 20); + debug_data("\nSecure session id", auth->secure_session_id, + auth->secure_session_id_len); + fprintf(stderr, "Sessionid half: %d\n\n", auth->session_id_half); + + return gpg_error(GPG_ERR_NO_ERROR); +} + +int main(int argc, char **argv) +{ + OtrlAuthInfo alice, bob; + gcry_error_t err; + int havemsg; + OtrlUserState us; + OtrlPrivKey *alicepriv, *bobpriv; + + otrl_mem_init(); + otrl_dh_init(); + otrl_auth_new(&alice); + otrl_auth_new(&bob); + + us = otrl_userstate_create(); + otrl_privkey_read(us, "/home/iang/.gaim/otr.private_key"); + alicepriv = otrl_privkey_find(us, "oneeyedian", "prpl-oscar"); + bobpriv = otrl_privkey_find(us, "otr4ian", "prpl-oscar"); + + printf("\n\n ***** V2 *****\n\n"); + + err = otrl_auth_start_v23(&bob, NULL, 0); + CHECK_ERR + printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg); + err = otrl_auth_handle_commit(&alice, bob.lastauthmsg, NULL, 0); + CHECK_ERR + printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), alice.lastauthmsg); + err = otrl_auth_handle_key(&bob, alice.lastauthmsg, &havemsg, bobpriv); + CHECK_ERR + if (havemsg) { + printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg); + } else { + printf("\nIGNORE\n\n"); + } + err = otrl_auth_handle_revealsig(&alice, bob.lastauthmsg, &havemsg, + alicepriv, starting, "Alice"); + CHECK_ERR + if (havemsg) { + printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), + alice.lastauthmsg); + } else { + printf("\nIGNORE\n\n"); + } + err = otrl_auth_handle_signature(&bob, alice.lastauthmsg, &havemsg, + starting, "Bob"); + CHECK_ERR + + printf("\n\n ***** V1 *****\n\n"); + + err = otrl_auth_start_v1(&bob, NULL, 0, bobpriv); + CHECK_ERR + printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg); + err = otrl_auth_handle_v1_key_exchange(&alice, bob.lastauthmsg, + &havemsg, alicepriv, NULL, 0, starting, "Alice"); + CHECK_ERR + if (havemsg) { + printf("\nAlice: %d\n%s\n\n", strlen(alice.lastauthmsg), + alice.lastauthmsg); + } else { + printf("\nIGNORE\n\n"); + } + err = otrl_auth_handle_v1_key_exchange(&bob, alice.lastauthmsg, + &havemsg, bobpriv, NULL, 0, starting, "Bob"); + CHECK_ERR + if (havemsg) { + printf("\nBob: %d\n%s\n\n", strlen(bob.lastauthmsg), bob.lastauthmsg); + } else { + printf("\nIGNORE\n\n"); + } + + otrl_userstate_free(us); + otrl_auth_clear(&alice); + otrl_auth_clear(&bob); + return 0; +} +#endif diff --git a/comm/third_party/libotr/src/auth.h b/comm/third_party/libotr/src/auth.h new file mode 100644 index 0000000000..0b9db544aa --- /dev/null +++ b/comm/third_party/libotr/src/auth.h @@ -0,0 +1,177 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Rob Smits, Chris Alexander, + * Willy Lew, Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __AUTH_H__ +#define __AUTH_H__ + +#include <gcrypt.h> +#include <time.h> +#include "dh.h" + + +typedef enum { + OTRL_AUTHSTATE_NONE, + OTRL_AUTHSTATE_AWAITING_DHKEY, + OTRL_AUTHSTATE_AWAITING_REVEALSIG, + OTRL_AUTHSTATE_AWAITING_SIG, + OTRL_AUTHSTATE_V1_SETUP +} OtrlAuthState; + +typedef struct { + OtrlAuthState authstate; /* Our state */ + + struct context *context; /* The context which points to us */ + + DH_keypair our_dh; /* Our D-H key */ + unsigned int our_keyid; /* ...and its keyid */ + + unsigned char *encgx; /* The encrypted value of g^x */ + size_t encgx_len; /* ...and its length */ + unsigned char r[16]; /* The encryption key */ + + unsigned char hashgx[32]; /* SHA256(g^x) */ + + gcry_mpi_t their_pub; /* Their D-H public key */ + unsigned int their_keyid; /* ...and its keyid */ + + + gcry_cipher_hd_t enc_c, enc_cp; /* c and c' encryption keys */ + gcry_md_hd_t mac_m1, mac_m1p; /* m1 and m1' MAC keys */ + gcry_md_hd_t mac_m2, mac_m2p; /* m2 and m2' MAC keys */ + + unsigned char their_fingerprint[20]; /* The fingerprint of their + long-term signing key */ + + int initiated; /* Did we initiate this + authentication? */ + + unsigned int protocol_version; /* The protocol version number + used to authenticate. */ + + unsigned char secure_session_id[20]; /* The secure session id */ + size_t secure_session_id_len; /* And its actual length, + which may be either 20 (for + v1) or 8 (for v2) */ + OtrlSessionIdHalf session_id_half; /* Which half of the session + id gets shown in bold */ + + char *lastauthmsg; /* The last auth message + (base-64 encoded) we sent, + in case we need to + retransmit it. */ + + time_t commit_sent_time; /* The time we last sent the + lastauthmsg, if it was a + COMMIT message, and this is + a master context. 0 + otherwise. */ +} OtrlAuthInfo; + +#include "privkey-t.h" + +/* + * Initialize the fields of an OtrlAuthInfo (already allocated). + */ +void otrl_auth_new(struct context *context); + +/* + * Clear the fields of an OtrlAuthInfo (but leave it allocated). + */ +void otrl_auth_clear(OtrlAuthInfo *auth); + +/* + * Start a fresh AKE (version 2 or 3) using the given OtrlAuthInfo. Generate + * a fresh DH keypair to use. If no error is returned, the message to + * transmit will be contained in auth->lastauthmsg. + */ +gcry_error_t otrl_auth_start_v23(OtrlAuthInfo *auth, int version); + +/* + * Handle an incoming D-H Commit Message. If no error is returned, the + * message to send will be left in auth->lastauthmsg. Generate a fresh + * keypair to use. + */ +gcry_error_t otrl_auth_handle_commit(OtrlAuthInfo *auth, + const char *commitmsg, int version); + +/* + * Handle an incoming D-H Key Message. If no error is returned, and + * *havemsgp is 1, the message to sent will be left in auth->lastauthmsg. + * Use the given private authentication key to sign messages. + */ +gcry_error_t otrl_auth_handle_key(OtrlAuthInfo *auth, const char *keymsg, + int *havemsgp, OtrlPrivKey *privkey); + +/* + * Handle an incoming Reveal Signature Message. If no error is + * returned, and *havemsgp is 1, the message to be sent will be left in + * auth->lastauthmsg. Use the given private authentication key to sign + * messages. Call the auth_succeeded callback if authentication is + * successful. + */ +gcry_error_t otrl_auth_handle_revealsig(OtrlAuthInfo *auth, + const char *revealmsg, int *havemsgp, OtrlPrivKey *privkey, + gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata), + void *asdata); + +/* + * Handle an incoming Signature Message. If no error is returned, and + * *havemsgp is 1, the message to be sent will be left in + * auth->lastauthmsg. Call the auth_succeeded callback if + * authentication is successful. + */ +gcry_error_t otrl_auth_handle_signature(OtrlAuthInfo *auth, + const char *sigmsg, int *havemsgp, + gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata), + void *asdata); + +/* + * Start a fresh AKE (version 1) using the given OtrlAuthInfo. If + * our_dh is NULL, generate a fresh DH keypair to use. Otherwise, use a + * copy of the one passed (with the given keyid). Use the given private + * key to sign the message. If no error is returned, the message to + * transmit will be contained in auth->lastauthmsg. + */ +gcry_error_t otrl_auth_start_v1(OtrlAuthInfo *auth, DH_keypair *our_dh, + unsigned int our_keyid, OtrlPrivKey *privkey); + +/* + * Handle an incoming v1 Key Exchange Message. If no error is returned, + * and *havemsgp is 1, the message to be sent will be left in + * auth->lastauthmsg. Use the given private authentication key to sign + * messages. Call the auth_secceeded callback if authentication is + * successful. If non-NULL, use a copy of the given D-H keypair, with + * the given keyid. + */ +gcry_error_t otrl_auth_handle_v1_key_exchange(OtrlAuthInfo *auth, + const char *keyexchmsg, int *havemsgp, OtrlPrivKey *privkey, + DH_keypair *our_dh, unsigned int our_keyid, + gcry_error_t (*auth_succeeded)(const OtrlAuthInfo *auth, void *asdata), + void *asdata); + +/* + * Copy relevant information from the master OtrlAuthInfo to an + * instance OtrlAuthInfo in response to a D-H Key with a new + * instance. The fields copied will depend on the state of the + * master auth. + */ +void otrl_auth_copy_on_key(OtrlAuthInfo *m_auth, OtrlAuthInfo *auth); + +#endif diff --git a/comm/third_party/libotr/src/b64.c b/comm/third_party/libotr/src/b64.c new file mode 100644 index 0000000000..a7d53aa2b1 --- /dev/null +++ b/comm/third_party/libotr/src/b64.c @@ -0,0 +1,267 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Chris Alexander, Willy Lew, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* Modified from: */ + +/*********************************************************************\ + +MODULE NAME: b64.c + +AUTHOR: Bob Trower 08/04/01 + +LICENCE: Copyright (c) 2001 Bob Trower, Trantor Standard Systems Inc. + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated + documentation files (the "Software"), to deal in the + Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, + sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, + subject to the following conditions: + + The above copyright notice and this permission notice shall + be included in all copies or substantial portions of the + Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY + KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE + WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS + OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR + OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +VERSION HISTORY: + Bob Trower 08/04/01 -- Create Version 0.00.00B + +\******************************************************************* */ + +/* system headers */ +#include <stdio.h> +#include <string.h> + +/* libotr headers */ +#include "b64.h" + +/* +** Translation Table as described in RFC1113 +*/ +static const char cb64[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + +/* +** Translation Table to decode (created by author) +*/ +static const char cd64[]="|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\]^_`abcdefghijklmnopq"; + +/* +** encodeblock +** +** encode up to 3 8-bit binary bytes as 4 '6-bit' characters. +** len must be 1, 2, or 3. +*/ +static void encodeblock( char *out, const unsigned char *in, size_t len ) +{ + unsigned char in0, in1, in2; + in0 = in[0]; + in1 = len > 1 ? in[1] : 0; + in2 = len > 2 ? in[2] : 0; + + out[0] = cb64[ in0 >> 2 ]; + out[1] = cb64[ ((in0 & 0x03) << 4) | ((in1 & 0xf0) >> 4) ]; + out[2] = len > 1 ? cb64[ ((in1 & 0x0f) << 2) | ((in2 & 0xc0) >> 6) ] + : '='; + out[3] = len > 2 ? cb64[ in2 & 0x3f ] + : '='; +} + +/* + * base64 encode data. Insert no linebreaks or whitespace. + * + * The buffer base64data must contain at least ((datalen+2)/3)*4 bytes of + * space. This function will return the number of bytes actually used. + */ +size_t otrl_base64_encode(char *base64data, const unsigned char *data, + size_t datalen) +{ + size_t base64len = 0; + + while(datalen > 2) { + encodeblock(base64data, data, 3); + base64data += 4; + base64len += 4; + data += 3; + datalen -= 3; + } + if (datalen > 0) { + encodeblock(base64data, data, datalen); + base64len += 4; + } + + return base64len; +} + +static size_t decode(unsigned char *out, const char *in, size_t b64len) +{ + size_t written = 0; + unsigned char c = 0; + + if (b64len > 0) { + c = in[0] << 2; + } + if (b64len > 1) { + out[0] = c | in[1] >> 4; + written = 1; + c = in[1] << 4; + } + if (b64len > 2) { + out[1] = c | in[2] >> 2; + written = 2; + c = in[2] << 6; + } + if (b64len > 3) { + out[2] = c | in[3]; + written = 3; + } + return written; +} + +/* + * base64 decode data. Skip non-base64 chars, and terminate at the + * first '=', or the end of the buffer. + * + * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes + * of space. This function will return the number of bytes actually + * used. + */ +size_t otrl_base64_decode(unsigned char *data, const char *base64data, + size_t base64len) +{ + size_t datalen = 0; + char b64[4]; + size_t b64accum = 0; + + while(base64len > 0) { + char b = *base64data; + unsigned char bdecode; + ++base64data; + --base64len; + if (b < '+' || b > 'z') continue; /* Skip non-base64 chars */ + if (b == '=') { + /* Force termination */ + datalen += decode(data, b64, b64accum); + base64len = 0; + } else { + bdecode = cd64[b-'+']; + if (bdecode == '$') continue; /* Skip non-base64 chars */ + b64[b64accum++] = bdecode-'>'; + if (b64accum == 4) { + /* We have a complete block; decode it. */ + size_t written = decode(data, b64, b64accum); + data += written; + datalen += written; + b64accum = 0; + } + } + } + + /* Just discard any short block at the end. */ + + return datalen; +} + +/* + * Base64-encode a block of data, stick "?OTR:" and "." around it, and + * return the result, or NULL in the event of a memory error. The + * caller must free() the return value. + */ +char *otrl_base64_otr_encode(const unsigned char *buf, size_t buflen) +{ + char *base64buf; + size_t base64len; + const size_t HALF_MAX_SIZE_T = ((size_t)-1) >> 1; + + if (buflen > HALF_MAX_SIZE_T) { + /* You somehow have a buffer that's of size more than half of + * all addressable memory, and you now want a base64 version in + * a new buffer 33% larger? Not going to happen. Exit now, + * rather in the malloc below, to avoid integer overflowing the + * computation of base64len. */ + return NULL; + } + + /* Make the base64-encoding. */ + base64len = ((buflen + 2) / 3) * 4; + base64buf = malloc(5 + base64len + 1 + 1); + if (base64buf == NULL) { + return NULL; + } + memmove(base64buf, "?OTR:", 5); + otrl_base64_encode(base64buf+5, buf, buflen); + base64buf[5 + base64len] = '.'; + base64buf[5 + base64len + 1] = '\0'; + + return base64buf; +} + +/* + * Base64-decode the portion of the given message between "?OTR:" and + * ".". Set *bufp to the decoded data, and set *lenp to its length. + * The caller must free() the result. Return 0 on success, -1 on a + * memory error, or -2 on invalid input. + */ +int otrl_base64_otr_decode(const char *msg, unsigned char **bufp, + size_t *lenp) +{ + char *otrtag, *endtag; + size_t msglen, rawlen; + unsigned char *rawmsg; + + otrtag = strstr(msg, "?OTR:"); + if (!otrtag) { + return -2; + } + + endtag = strchr(otrtag, '.'); + if (endtag) { + msglen = endtag-otrtag; + } else { + return -2; + } + + /* Skip over the "?OTR:" */ + otrtag += 5; + msglen -= 5; + + /* Base64-decode the message */ + rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */ + rawmsg = malloc(rawlen); + if (!rawmsg && rawlen > 0) { + return -1; + } + + rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */ + + *bufp = rawmsg; + *lenp = rawlen; + + return 0; +} diff --git a/comm/third_party/libotr/src/b64.h b/comm/third_party/libotr/src/b64.h new file mode 100644 index 0000000000..bdd584a45e --- /dev/null +++ b/comm/third_party/libotr/src/b64.h @@ -0,0 +1,72 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Chris Alexander, Willy Lew, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __B64_H__ +#define __B64_H__ + +#include <stdlib.h> + +/* Base64 encodes blocks of this many bytes: */ +#define OTRL_B64_DECODED_LEN 3 +/* into blocks of this many bytes: */ +#define OTRL_B64_ENCODED_LEN 4 + +/* An encoded block of length encoded_len can turn into a maximum of + * this many decoded bytes: */ +#define OTRL_B64_MAX_DECODED_SIZE(encoded_len) \ + (((encoded_len + OTRL_B64_ENCODED_LEN - 1) / OTRL_B64_ENCODED_LEN) \ + * OTRL_B64_DECODED_LEN) + +/* + * base64 encode data. Insert no linebreaks or whitespace. + * + * The buffer base64data must contain at least ((datalen+2)/3)*4 bytes of + * space. This function will return the number of bytes actually used. + */ +size_t otrl_base64_encode(char *base64data, const unsigned char *data, + size_t datalen); + +/* + * base64 decode data. Skip non-base64 chars, and terminate at the + * first '=', or the end of the buffer. + * + * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes + * of space. This function will return the number of bytes actually + * used. + */ +size_t otrl_base64_decode(unsigned char *data, const char *base64data, + size_t base64len); + +/* + * Base64-encode a block of data, stick "?OTR:" and "." around it, and + * return the result, or NULL in the event of a memory error. + */ +char *otrl_base64_otr_encode(const unsigned char *buf, size_t buflen); + +/* + * Base64-decode the portion of the given message between "?OTR:" and + * ".". Set *bufp to the decoded data, and set *lenp to its length. + * The caller must free() the result. Return 0 on success, -1 on a + * memory error, or -2 on invalid input. + */ +int otrl_base64_otr_decode(const char *msg, unsigned char **bufp, + size_t *lenp); + +#endif diff --git a/comm/third_party/libotr/src/context.c b/comm/third_party/libotr/src/context.c new file mode 100644 index 0000000000..44d8b860f7 --- /dev/null +++ b/comm/third_party/libotr/src/context.c @@ -0,0 +1,547 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* system headers */ +#include <stdlib.h> +#include <assert.h> + +/* libgcrypt headers */ +#include <gcrypt.h> + +/* libotr headers */ +#include "context.h" +#include "instag.h" + +#if OTRL_DEBUGGING +#include <stdio.h> + +void otrl_auth_dump(FILE *f, const OtrlAuthInfo *auth); +void otrl_sm_dump(FILE *f, const OtrlSMState *sm); + +/* Dump the contents of a context to the FILE *f. */ +void otrl_context_dump(FILE *f, const ConnContext *context) +{ + const Fingerprint *fing; + + fprintf(f, "Context %p:\n\n", context); + + fprintf(f, " Username: %s\n", context->username); + fprintf(f, " Accountname: %s\n", context->accountname); + fprintf(f, " Protocol: %s\n\n", context->protocol); + fprintf(f, " Master context: %p%s\n", context->m_context, + context->m_context == context ? " IS MASTER" : ""); + fprintf(f, " Recent recv child: %p\n", context->recent_rcvd_child); + fprintf(f, " Recent sent child: %p\n", context->recent_sent_child); + fprintf(f, " Recent child: %p\n\n", context->recent_child); + fprintf(f, " Our instance: %08x\n", context->our_instance); + fprintf(f, " Their instance: %08x\n\n", context->their_instance); + fprintf(f, " Msgstate: %d (%s)\n\n", context->msgstate, + context->msgstate == OTRL_MSGSTATE_PLAINTEXT ? "PLAINTEXT" : + context->msgstate == OTRL_MSGSTATE_ENCRYPTED ? "ENCRYPTED" : + context->msgstate == OTRL_MSGSTATE_FINISHED ? "FINISHED" : + "INVALID"); + otrl_auth_dump(f, &context->auth); + fprintf(f, "\n Fingerprints:\n"); + for (fing = context->fingerprint_root.next; fing; fing = fing->next) { + fprintf(f, " %p ", fing); + if (fing->fingerprint == NULL) { + fprintf(f, "(null)"); + } else { + int i; + for (i=0;i<20;++i) { + fprintf(f, "%02x", fing->fingerprint[i]); + } + } + fprintf(f, " %p", fing->context); + if (fing->trust && fing->trust[0]) { + fprintf(f, " %s", fing->trust); + } + fprintf(f, "\n"); + } + fprintf(f, "\n Active fingerprint: %p\n\n", context->active_fingerprint); + fprintf(f, " Protocol version: %d\n", context->protocol_version); + fprintf(f, " OTR offer: %d (%s)\n\n", context->otr_offer, + context->otr_offer == OFFER_NOT ? "NOT" : + context->otr_offer == OFFER_SENT ? "SENT" : + context->otr_offer == OFFER_REJECTED ? "REJECTED" : + context->otr_offer == OFFER_ACCEPTED ? "ACCEPTED" : + "INVALID"); + + fprintf(f, " Application data: %p\n", context->app_data); + if (context->smstate == NULL) { + fprintf(f, " SM state: NULL\n"); + } else { + otrl_sm_dump(f, context->smstate); + } + fprintf(f, "\n"); +} + +/* Dump the master context of this context, and all of its children. */ +void otrl_context_siblings_dump(FILE *f, const ConnContext *context) +{ + const ConnContext *citer; + for (citer = context->m_context; + citer && citer->m_context == context->m_context; + citer = citer->next) { + if (citer == context) { + fprintf(f, "*** "); + } + otrl_context_dump(f, citer); + } +} + +/* Dump all contexts. */ +void otrl_context_all_dump(FILE *f, OtrlUserState us) +{ + const ConnContext *citer; + unsigned int ctxnum = 1; + for (citer = us->context_root; citer; citer = citer->next, ++ctxnum) { + fprintf(f, "%u. ", ctxnum); + otrl_context_dump(f, citer); + } +} +#endif + +/* Create a new connection context. */ +static ConnContext * new_context(const char * user, const char * accountname, + const char * protocol) +{ + ConnContext * context; + OtrlSMState *smstate; + + context = malloc(sizeof(ConnContext)); + assert(context != NULL); + + context->username = strdup(user); + context->accountname = strdup(accountname); + context->protocol = strdup(protocol); + + context->msgstate = OTRL_MSGSTATE_PLAINTEXT; + otrl_auth_new(context); + + smstate = malloc(sizeof(OtrlSMState)); + assert(smstate != NULL); + otrl_sm_state_new(smstate); + context->smstate = smstate; + + context->our_instance = 0; + context->their_instance = OTRL_INSTAG_MASTER; + context->fingerprint_root.fingerprint = NULL; + context->fingerprint_root.context = context; + context->fingerprint_root.next = NULL; + context->fingerprint_root.tous = NULL; + context->active_fingerprint = NULL; + memset(context->sessionid, 0, 20); + context->sessionid_len = 0; + context->protocol_version = 0; + context->otr_offer = OFFER_NOT; + context->app_data = NULL; + context->app_data_free = NULL; + context->context_priv = otrl_context_priv_new(); + assert(context->context_priv != NULL); + context->next = NULL; + context->m_context = context; + context->recent_rcvd_child = NULL; + context->recent_sent_child = NULL; + context->recent_child = NULL; + + return context; +} + +ConnContext * otrl_context_find_recent_instance(ConnContext * context, + otrl_instag_t recent_instag) { + ConnContext * m_context; + + if (!context) return NULL; + + m_context = context->m_context; + + if (!m_context) return NULL; + + switch(recent_instag) { + case OTRL_INSTAG_RECENT: + return m_context->recent_child; + case OTRL_INSTAG_RECENT_RECEIVED: + return m_context->recent_rcvd_child; + case OTRL_INSTAG_RECENT_SENT: + return m_context->recent_sent_child; + default: + return NULL; + } +} + +/* Find the instance of this context that has the best security level, + and for which we have most recently received a message from. Note that most + recent in this case is limited to a one-second resolution. */ +ConnContext * otrl_context_find_recent_secure_instance(ConnContext * context) +{ + ConnContext *curp; /* for iteration */ + ConnContext *m_context; /* master */ + ConnContext *cresult = context; /* best so far */ + + if (!context) { + return cresult; + } + + m_context = context->m_context; + + for (curp = m_context; curp && curp->m_context == m_context; + curp = curp->next) { + int msgstate_improved = 0; /* 0 == same, 1 == improved */ + int trust_improved = 0; /* (will immediately 'continue' if worse + * than) */ + + if (cresult->msgstate == curp->msgstate) { + msgstate_improved = 0; + } else if (curp->msgstate == OTRL_MSGSTATE_ENCRYPTED || + (cresult->msgstate == OTRL_MSGSTATE_PLAINTEXT && + curp->msgstate == OTRL_MSGSTATE_FINISHED)) { + msgstate_improved = 1; + } else { + continue; + } + + + if (otrl_context_is_fingerprint_trusted(cresult->active_fingerprint) == + otrl_context_is_fingerprint_trusted(curp->active_fingerprint)) { + + trust_improved = 0; + } else if + (otrl_context_is_fingerprint_trusted(curp->active_fingerprint)){ + + trust_improved = 1; + } else { + continue; + } + + if (msgstate_improved || trust_improved || + (!msgstate_improved && !trust_improved && + curp->context_priv->lastrecv >= + cresult->context_priv->lastrecv)) { + cresult = curp; + } + } + + return cresult; +} + +/* Look up a connection context by name/account/protocol/instag from the given + * OtrlUserState. If add_if_missing is true, allocate and return a new + * context if one does not currently exist. In that event, call + * add_app_data(data, context) so that app_data and app_data_free can be + * filled in by the application, and set *addedp to 1. + * In the 'their_instance' field note that you can also specify a 'meta- + * instance' value such as OTRL_INSTAG_MASTER, OTRL_INSTAG_RECENT, + * OTRL_INSTAG_RECENT_RECEIVED and OTRL_INSTAG_RECENT_SENT. */ +ConnContext * otrl_context_find(OtrlUserState us, const char *user, + const char *accountname, const char *protocol, + otrl_instag_t their_instance, int add_if_missing, int *addedp, + void (*add_app_data)(void *data, ConnContext *context), void *data) +{ + ConnContext ** curp; + int usercmp = 1, acctcmp = 1, protocmp = 1; + if (addedp) *addedp = 0; + if (!user || !accountname || !protocol) return NULL; + + for (curp = &(us->context_root); *curp; curp = &((*curp)->next)) { + if ((usercmp = strcmp((*curp)->username, user)) > 0 || + (usercmp == 0 && + (acctcmp = strcmp((*curp)->accountname, accountname)) > 0) || + (usercmp == 0 && acctcmp == 0 && + (protocmp = strcmp((*curp)->protocol, protocol)) > 0) || + (usercmp == 0 && acctcmp == 0 && protocmp == 0 + && (their_instance < OTRL_MIN_VALID_INSTAG || + ((*curp)->their_instance >= their_instance)))) + /* We're at the right place in the list. We've either found + * it, or gone too far. */ + break; + } + + if (usercmp == 0 && acctcmp == 0 && protocmp == 0 && *curp && + (their_instance < OTRL_MIN_VALID_INSTAG || + (their_instance == (*curp)->their_instance))) { + /* Found one! */ + if (their_instance >= OTRL_MIN_VALID_INSTAG || + their_instance == OTRL_INSTAG_MASTER) { + return *curp; + } + + /* We need to go back and check more values in the context */ + switch(their_instance) { + case OTRL_INSTAG_BEST: + return otrl_context_find_recent_secure_instance(*curp); + case OTRL_INSTAG_RECENT: + case OTRL_INSTAG_RECENT_RECEIVED: + case OTRL_INSTAG_RECENT_SENT: + return otrl_context_find_recent_instance(*curp, their_instance); + default: + return NULL; + } + } + + if (add_if_missing) { + ConnContext *newctx; + OtrlInsTag *our_instag = (OtrlInsTag *)otrl_instag_find(us, accountname, + protocol); + + if (addedp) *addedp = 1; + newctx = new_context(user, accountname, protocol); + newctx->next = *curp; + if (*curp) { + (*curp)->tous = &(newctx->next); + } + *curp = newctx; + newctx->tous = curp; + if (add_app_data) { + add_app_data(data, *curp); + } + + /* Initialize specified instance tags */ + if (our_instag) { + newctx->our_instance = our_instag->instag; + } + + if (their_instance >= OTRL_MIN_VALID_INSTAG || + their_instance == OTRL_INSTAG_MASTER) { + newctx->their_instance = their_instance; + } + + if (their_instance >= OTRL_MIN_VALID_INSTAG) { + newctx->m_context = otrl_context_find(us, user, accountname, + protocol, OTRL_INSTAG_MASTER, 1, NULL, add_app_data, data); + } + + if (their_instance == OTRL_INSTAG_MASTER) { + /* if we're adding a master, there are no children, so the most + * recent context is the one we add. */ + newctx->recent_child = newctx; + newctx->recent_rcvd_child = newctx; + newctx->recent_sent_child = newctx; + } + + return *curp; + } + return NULL; +} + +/* Return true iff the given fingerprint is marked as trusted. */ +int otrl_context_is_fingerprint_trusted(Fingerprint *fprint) { + return fprint && fprint->trust && fprint->trust[0] != '\0'; +} + +/* This method gets called after sending or receiving a message, to + * update the master context's "recent context" pointers. */ +void otrl_context_update_recent_child(ConnContext *context, + unsigned int sent_msg) { + ConnContext *m_context = context->m_context; + + if (sent_msg) { + m_context->recent_sent_child = context; + } else { + m_context->recent_rcvd_child = context; + } + + m_context->recent_child = context; + +} + +/* Find a fingerprint in a given context, perhaps adding it if not + * present. */ +Fingerprint *otrl_context_find_fingerprint(ConnContext *context, + unsigned char fingerprint[20], int add_if_missing, int *addedp) +{ + Fingerprint *f; + if (addedp) *addedp = 0; + + if (!context || !context->m_context) return NULL; + + context = context->m_context; + + f = context->fingerprint_root.next; + while(f) { + if (!memcmp(f->fingerprint, fingerprint, 20)) return f; + f = f->next; + } + + /* Didn't find it. */ + if (add_if_missing) { + if (addedp) *addedp = 1; + f = malloc(sizeof(*f)); + assert(f != NULL); + f->fingerprint = malloc(20); + assert(f->fingerprint != NULL); + memmove(f->fingerprint, fingerprint, 20); + f->context = context; + f->trust = NULL; + f->next = context->fingerprint_root.next; + if (f->next) { + f->next->tous = &(f->next); + } + context->fingerprint_root.next = f; + f->tous = &(context->fingerprint_root.next); + return f; + } + return NULL; +} + +/* Set the trust level for a given fingerprint */ +void otrl_context_set_trust(Fingerprint *fprint, const char *trust) +{ + if (fprint == NULL) return; + + free(fprint->trust); + fprint->trust = trust ? strdup(trust) : NULL; +} + +/* Force a context into the OTRL_MSGSTATE_FINISHED state. */ +void otrl_context_force_finished(ConnContext *context) +{ + context->msgstate = OTRL_MSGSTATE_FINISHED; + otrl_auth_clear(&(context->auth)); + context->active_fingerprint = NULL; + memset(context->sessionid, 0, 20); + context->sessionid_len = 0; + context->protocol_version = 0; + otrl_sm_state_free(context->smstate); + otrl_context_priv_force_finished(context->context_priv); +} + +/* Force a context into the OTRL_MSGSTATE_PLAINTEXT state. */ +void otrl_context_force_plaintext(ConnContext *context) +{ + /* First clean up everything we'd need to do for the FINISHED state */ + otrl_context_force_finished(context); + + /* And just set the state properly */ + context->msgstate = OTRL_MSGSTATE_PLAINTEXT; +} + +/* Forget a fingerprint (so long as it's not the active one. If it's a + * fingerprint_root, forget the whole context (as long as + * and_maybe_context is set, and it's PLAINTEXT). Also, if it's not + * the fingerprint_root, but it's the only fingerprint, and we're + * PLAINTEXT, forget the whole context if and_maybe_context is set. */ +void otrl_context_forget_fingerprint(Fingerprint *fprint, + int and_maybe_context) +{ + ConnContext *context = fprint->context; + if (fprint == &(context->fingerprint_root)) { + if (context->msgstate == OTRL_MSGSTATE_PLAINTEXT && + and_maybe_context) { + otrl_context_forget(context); + } + } else { + if (context->msgstate != OTRL_MSGSTATE_PLAINTEXT || + context->active_fingerprint != fprint) { + + free(fprint->fingerprint); + free(fprint->trust); + *(fprint->tous) = fprint->next; + if (fprint->next) { + fprint->next->tous = fprint->tous; + } + free(fprint); + if (context->msgstate == OTRL_MSGSTATE_PLAINTEXT && + context->fingerprint_root.next == NULL && + and_maybe_context) { + /* We just deleted the only fingerprint. Forget the + * whole thing. */ + otrl_context_forget(context); + } + } + } +} + +/* Forget a whole context, so long as it's PLAINTEXT. If a context has child + * instances, don't remove this instance unless children are also all in + * PLAINTEXT state. In this case, the children will also be removed. + * Returns 0 on success, 1 on failure. */ +int otrl_context_forget(ConnContext *context) +{ + if (context->msgstate != OTRL_MSGSTATE_PLAINTEXT) return 1; + + if (context->their_instance == OTRL_INSTAG_MASTER) { + ConnContext *c_iter; + + for (c_iter = context; c_iter && + c_iter->m_context == context->m_context; + c_iter = c_iter->next) { + if (c_iter->msgstate != OTRL_MSGSTATE_PLAINTEXT) return 1; + } + + c_iter = context->next; + while (c_iter && c_iter->m_context == context->m_context) { + if (!otrl_context_forget(c_iter)) { + c_iter = context->next; + } else { + return 1; + } + } + + } + + /* Just to be safe, force to plaintext. This also frees any + * extraneous data lying around. */ + otrl_context_force_plaintext(context); + + /* First free all the Fingerprints */ + while(context->fingerprint_root.next) { + otrl_context_forget_fingerprint(context->fingerprint_root.next, 0); + } + /* Now free all the dynamic info here */ + free(context->username); + free(context->accountname); + free(context->protocol); + free(context->smstate); + context->username = NULL; + context->accountname = NULL; + context->protocol = NULL; + context->smstate = NULL; + + /* Free the application data, if it exists */ + if (context->app_data && context->app_data_free) { + (context->app_data_free)(context->app_data); + context->app_data = NULL; + } + + /* Fix the list linkages */ + *(context->tous) = context->next; + if (context->next) { + context->next->tous = context->tous; + } + + free(context); + return 0; +} + +/* Forget all the contexts in a given OtrlUserState. */ +void otrl_context_forget_all(OtrlUserState us) +{ + ConnContext *c_iter; + + for (c_iter = us->context_root; c_iter; c_iter = c_iter->next) { + otrl_context_force_plaintext(c_iter); + } + + while (us->context_root) { + otrl_context_forget(us->context_root); + } +} diff --git a/comm/third_party/libotr/src/context.h b/comm/third_party/libotr/src/context.h new file mode 100644 index 0000000000..55cd082845 --- /dev/null +++ b/comm/third_party/libotr/src/context.h @@ -0,0 +1,193 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __CONTEXT_H__ +#define __CONTEXT_H__ + +#include "context_priv.h" + +#include <gcrypt.h> + +#include "dh.h" +#include "auth.h" +#include "sm.h" + +typedef struct context ConnContext; /* Forward declare */ + +#include "instag.h" + +typedef enum { + OTRL_MSGSTATE_PLAINTEXT, /* Not yet started an encrypted + conversation */ + OTRL_MSGSTATE_ENCRYPTED, /* Currently in an encrypted + conversation */ + OTRL_MSGSTATE_FINISHED /* The remote side has sent us a + notification that he has ended + his end of the encrypted + conversation; prevent any + further messages from being + sent to him. */ +} OtrlMessageState; + +typedef struct s_fingerprint { + struct s_fingerprint *next; /* The next fingerprint in the list */ + struct s_fingerprint **tous; /* A pointer to the pointer to us */ + unsigned char *fingerprint; /* The fingerprint, or NULL */ + struct context *context; /* The context to which we belong */ + char *trust; /* The trust level of the fingerprint */ +} Fingerprint; + +struct context { + struct context * next; /* Linked list pointer */ + struct context ** tous; /* A pointer to the pointer to us */ + + /* Context information that is meant for internal use */ + + ConnContextPriv *context_priv; + + /* Context information that is meant for application use */ + + char * username; /* The user this context is for */ + char * accountname; /* The username is relative to + this account... */ + char * protocol; /* ... and this protocol */ + + struct context *m_context; /* If this is a child context, this + field will point to the master + context. Otherwise it will point to + itself. */ + struct context *recent_rcvd_child; /* If this is a master context, this + points to the child context that + has received a message most recently. + By default, it will point to the + master context. In child contexts + this field is NULL. */ + struct context *recent_sent_child; /* Similar to above, but it points to + the child who has sent most + recently. */ + struct context *recent_child; /* Similar to above, but will point to + the most recent of recent_rcvd_child + and recent_sent_child */ + + otrl_instag_t our_instance; /* Our instance tag for this computer*/ + otrl_instag_t their_instance; /* The user's instance tag */ + + OtrlMessageState msgstate; /* The state of message disposition + with this user */ + OtrlAuthInfo auth; /* The state of ongoing + authentication with this user */ + + Fingerprint fingerprint_root; /* The root of a linked list of + Fingerprints entries. This list will + only be populated in master contexts. + For child contexts, + fingerprint_root.next will always + point to NULL. */ + Fingerprint *active_fingerprint; /* Which fingerprint is in use now? + A pointer into the above list */ + + unsigned char sessionid[20]; /* The sessionid and bold half */ + size_t sessionid_len; /* determined when this private */ + OtrlSessionIdHalf sessionid_half; /* connection was established. */ + + unsigned int protocol_version; /* The version of OTR in use */ + + enum { + OFFER_NOT, + OFFER_SENT, + OFFER_REJECTED, + OFFER_ACCEPTED + } otr_offer; /* Has this correspondent repsponded to our + OTR offers? */ + + /* Application data to be associated with this context */ + void *app_data; + /* A function to free the above data when we forget this context */ + void (*app_data_free)(void *); + + OtrlSMState *smstate; /* The state of the current + socialist millionaires exchange */ +}; + +#include "userstate.h" + +/* Look up a connection context by name/account/protocol/instance from the + * given OtrlUserState. If add_if_missing is true, allocate and return a + * new context if one does not currently exist. In that event, call + * add_app_data(data, context) so that app_data and app_data_free can be + * filled in by the application, and set *addedp to 1. + * In the 'their_instance' field note that you can also specify a 'meta- + * instance' value such as OTRL_INSTAG_MASTER, OTRL_INSTAL_RECENT, + * OTRL_INSTAG_RECENT_RECEIVED and OTRL_INSTAG_RECENT_SENT. */ +ConnContext * otrl_context_find(OtrlUserState us, const char *user, + const char *accountname, const char *protocol, + otrl_instag_t their_instance, int add_if_missing, int *addedp, + void (*add_app_data)(void *data, ConnContext *context), void *data); + +/* Return true iff the given fingerprint is marked as trusted. */ +int otrl_context_is_fingerprint_trusted(Fingerprint *fprint); + +/* This method gets called after sending or receiving a message, to + * update the master context's "recent context" pointers. */ +void otrl_context_update_recent_child(ConnContext *context, + unsigned int sent_msg); + +/* Find a fingerprint in a given context, perhaps adding it if not + * present. */ +Fingerprint *otrl_context_find_fingerprint(ConnContext *context, + unsigned char fingerprint[20], int add_if_missing, int *addedp); + +/* Set the trust level for a given fingerprint */ +void otrl_context_set_trust(Fingerprint *fprint, const char *trust); + +/* Force a context into the OTRL_MSGSTATE_FINISHED state. */ +void otrl_context_force_finished(ConnContext *context); + +/* Force a context into the OTRL_MSGSTATE_PLAINTEXT state. */ +void otrl_context_force_plaintext(ConnContext *context); + +/* Forget a fingerprint (so long as it's not the active one. If it's a + * fingerprint_root, forget the whole context (as long as + * and_maybe_context is set, and it's PLAINTEXT). Also, if it's not + * the fingerprint_root, but it's the only fingerprint, and we're + * PLAINTEXT, forget the whole context if and_maybe_context is set. */ +void otrl_context_forget_fingerprint(Fingerprint *fprint, + int and_maybe_context); + +/* Forget a whole context, so long as it's PLAINTEXT. If a context has child + * instances, don't remove this instance unless children are also all in + * PLAINTEXT state. In this case, the children will also be removed. + * Returns 0 on success, 1 on failure. */ +int otrl_context_forget(ConnContext *context); + +/* Forget all the contexts in a given OtrlUserState. */ +void otrl_context_forget_all(OtrlUserState us); + +/* Find requested recent instance */ +ConnContext * otrl_context_find_recent_instance(ConnContext * context, + otrl_instag_t recent_instag); + +/* Find the instance of this context that has the best security level, and for + * which we have most recently received a message from. Note that most recent + * in this case is limited to a one-second resolution. */ +ConnContext * otrl_context_find_recent_secure_instance(ConnContext * context); + +#endif diff --git a/comm/third_party/libotr/src/context_priv.c b/comm/third_party/libotr/src/context_priv.c new file mode 100644 index 0000000000..47d05b9204 --- /dev/null +++ b/comm/third_party/libotr/src/context_priv.c @@ -0,0 +1,95 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Chris Alexander, Willy Lew, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* system headers */ +#include <stdlib.h> +#include <assert.h> + +/* libgcrypt headers */ +#include <gcrypt.h> + +/* libotr headers */ +#include "context_priv.h" + +/* Create a new private connection context */ +ConnContextPriv *otrl_context_priv_new() +{ + ConnContextPriv *context_priv; + context_priv = malloc(sizeof(*context_priv)); + assert(context_priv != NULL); + + context_priv->fragment = NULL; + context_priv->fragment_len = 0; + context_priv->fragment_n = 0; + context_priv->fragment_k = 0; + context_priv->numsavedkeys = 0; + context_priv->saved_mac_keys = NULL; + context_priv->generation = 0; + context_priv->lastsent = 0; + context_priv->lastmessage = NULL; + context_priv->lastrecv = 0; + context_priv->may_retransmit = 0; + context_priv->their_keyid = 0; + context_priv->their_y = NULL; + context_priv->their_old_y = NULL; + context_priv->our_keyid = 0; + context_priv->our_dh_key.groupid = 0; + context_priv->our_dh_key.priv = NULL; + context_priv->our_dh_key.pub = NULL; + context_priv->our_old_dh_key.groupid = 0; + context_priv->our_old_dh_key.priv = NULL; + context_priv->our_old_dh_key.pub = NULL; + otrl_dh_session_blank(&(context_priv->sesskeys[0][0])); + otrl_dh_session_blank(&(context_priv->sesskeys[0][1])); + otrl_dh_session_blank(&(context_priv->sesskeys[1][0])); + otrl_dh_session_blank(&(context_priv->sesskeys[1][1])); + + return context_priv; +} + +/* Resets the appropriate variables when a context + * is being force finished + */ +void otrl_context_priv_force_finished(ConnContextPriv *context_priv) +{ + free(context_priv->fragment); + context_priv->fragment = NULL; + context_priv->fragment_len = 0; + context_priv->fragment_n = 0; + context_priv->fragment_k = 0; + context_priv->numsavedkeys = 0; + free(context_priv->saved_mac_keys); + context_priv->saved_mac_keys = NULL; + gcry_free(context_priv->lastmessage); + context_priv->lastmessage = NULL; + context_priv->may_retransmit = 0; + context_priv->their_keyid = 0; + gcry_mpi_release(context_priv->their_y); + context_priv->their_y = NULL; + gcry_mpi_release(context_priv->their_old_y); + context_priv->their_old_y = NULL; + context_priv->our_keyid = 0; + otrl_dh_keypair_free(&(context_priv->our_dh_key)); + otrl_dh_keypair_free(&(context_priv->our_old_dh_key)); + otrl_dh_session_free(&(context_priv->sesskeys[0][0])); + otrl_dh_session_free(&(context_priv->sesskeys[0][1])); + otrl_dh_session_free(&(context_priv->sesskeys[1][0])); + otrl_dh_session_free(&(context_priv->sesskeys[1][1])); +} diff --git a/comm/third_party/libotr/src/context_priv.h b/comm/third_party/libotr/src/context_priv.h new file mode 100644 index 0000000000..0748074e9b --- /dev/null +++ b/comm/third_party/libotr/src/context_priv.h @@ -0,0 +1,94 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Chris Alexander, Willy Lew, + * Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __CONTEXT_PRIV_H__ +#define __CONTEXT_PRIV_H__ + +#include <gcrypt.h> + +#include "dh.h" +#include "auth.h" +#include "sm.h" + +typedef struct context_priv { + /* The part of the fragmented message we've seen so far */ + char *fragment; + + /* The length of fragment */ + size_t fragment_len; + + /* The total number of fragments in this message */ + unsigned short fragment_n; + + /* The highest fragment number we've seen so far for this message */ + unsigned short fragment_k; + + /* current keyid used by other side; this is set to 0 if we get + * a OTRL_TLV_DISCONNECTED message from them. */ + unsigned int their_keyid; + + /* Y[their_keyid] (their DH pubkey) */ + gcry_mpi_t their_y; + + /* Y[their_keyid-1] (their prev DH pubkey) */ + gcry_mpi_t their_old_y; + + /* current keyid used by us */ + unsigned int our_keyid; + + /* DH key[our_keyid] */ + DH_keypair our_dh_key; + + /* DH key[our_keyid-1] */ + DH_keypair our_old_dh_key; + + /* sesskeys[i][j] are the session keys derived from DH + * key[our_keyid-i] and mpi Y[their_keyid-j] */ + DH_sesskeys sesskeys[2][2]; + + /* saved mac keys to be revealed later */ + unsigned int numsavedkeys; + unsigned char *saved_mac_keys; + + /* generation number: increment every time we go private, and never + * reset to 0 (unless we remove the context entirely) */ + unsigned int generation; + + /* The last time a Data Message was sent */ + time_t lastsent; + + /* The last time a Data Message was received */ + time_t lastrecv; + + /* The plaintext of the last Data Message sent */ + char *lastmessage; + + /* Is the last message eligible for retransmission? */ + int may_retransmit; + +} ConnContextPriv; + +/* Create a new private connection context. */ +ConnContextPriv *otrl_context_priv_new(); + +/* Frees up memory that was used in otrl_context_priv_new */ +void otrl_context_priv_force_finished(ConnContextPriv *context_priv); + +#endif diff --git a/comm/third_party/libotr/src/dh.c b/comm/third_party/libotr/src/dh.c new file mode 100644 index 0000000000..d8bc45d10d --- /dev/null +++ b/comm/third_party/libotr/src/dh.c @@ -0,0 +1,476 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* system headers */ +#include <stdlib.h> + +/* libgcrypt headers */ +#include <gcrypt.h> + +/* libotr headers */ +#include "dh.h" + + +static const char* DH1536_MODULUS_S = "0x" + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"; +static const char *DH1536_GENERATOR_S = "0x02"; +static const int DH1536_MOD_LEN_BITS = 1536; +static const int DH1536_MOD_LEN_BYTES = 192; + +static gcry_mpi_t DH1536_MODULUS = NULL; +static gcry_mpi_t DH1536_MODULUS_MINUS_2 = NULL; +static gcry_mpi_t DH1536_GENERATOR = NULL; + +/* + * Call this once, at plugin load time. It sets up the modulus and + * generator MPIs. + */ +void otrl_dh_init(void) +{ + gcry_mpi_scan(&DH1536_MODULUS, GCRYMPI_FMT_HEX, + (const unsigned char *)DH1536_MODULUS_S, 0, NULL); + gcry_mpi_scan(&DH1536_GENERATOR, GCRYMPI_FMT_HEX, + (const unsigned char *)DH1536_GENERATOR_S, 0, NULL); + DH1536_MODULUS_MINUS_2 = gcry_mpi_new(DH1536_MOD_LEN_BITS); + gcry_mpi_sub_ui(DH1536_MODULUS_MINUS_2, DH1536_MODULUS, 2); +} + +/* + * Initialize the fields of a DH keypair. + */ +void otrl_dh_keypair_init(DH_keypair *kp) +{ + kp->groupid = 0; + kp->priv = NULL; + kp->pub = NULL; +} + +/* + * Copy a DH_keypair. + */ +void otrl_dh_keypair_copy(DH_keypair *dst, const DH_keypair *src) +{ + dst->groupid = src->groupid; + dst->priv = gcry_mpi_copy(src->priv); + dst->pub = gcry_mpi_copy(src->pub); +} + +/* + * Deallocate the contents of a DH_keypair (but not the DH_keypair + * itself) + */ +void otrl_dh_keypair_free(DH_keypair *kp) +{ + gcry_mpi_release(kp->priv); + gcry_mpi_release(kp->pub); + kp->priv = NULL; + kp->pub = NULL; +} + +/* + * Generate a DH keypair for a specified group. + */ +gcry_error_t otrl_dh_gen_keypair(unsigned int groupid, DH_keypair *kp) +{ + unsigned char *secbuf = NULL; + gcry_mpi_t privkey = NULL; + + if (groupid != DH1536_GROUP_ID) { + /* Invalid group id */ + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Generate the secret key: a random 320-bit value */ + secbuf = gcry_random_bytes_secure(40, GCRY_STRONG_RANDOM); + gcry_mpi_scan(&privkey, GCRYMPI_FMT_USG, secbuf, 40, NULL); + gcry_free(secbuf); + + kp->groupid = groupid; + kp->priv = privkey; + kp->pub = gcry_mpi_new(DH1536_MOD_LEN_BITS); + gcry_mpi_powm(kp->pub, DH1536_GENERATOR, privkey, DH1536_MODULUS); + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* + * Construct session keys from a DH keypair and someone else's public + * key. + */ +gcry_error_t otrl_dh_session(DH_sesskeys *sess, const DH_keypair *kp, + gcry_mpi_t y) +{ + gcry_mpi_t gab; + size_t gablen; + unsigned char *gabdata; + unsigned char *hashdata; + unsigned char sendbyte, rcvbyte; + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + + otrl_dh_session_blank(sess); + + if (kp->groupid != DH1536_GROUP_ID) { + /* Invalid group id */ + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Calculate the shared secret MPI */ + gab = gcry_mpi_snew(DH1536_MOD_LEN_BITS); + gcry_mpi_powm(gab, y, kp->priv, DH1536_MODULUS); + + /* Output it in the right format */ + gcry_mpi_print(GCRYMPI_FMT_USG, NULL, 0, &gablen, gab); + gabdata = gcry_malloc_secure(gablen + 5); + if (!gabdata) { + gcry_mpi_release(gab); + return gcry_error(GPG_ERR_ENOMEM); + } + gabdata[1] = (gablen >> 24) & 0xff; + gabdata[2] = (gablen >> 16) & 0xff; + gabdata[3] = (gablen >> 8) & 0xff; + gabdata[4] = gablen & 0xff; + gcry_mpi_print(GCRYMPI_FMT_USG, gabdata+5, gablen, NULL, gab); + gcry_mpi_release(gab); + + hashdata = gcry_malloc_secure(20); + if (!hashdata) { + gcry_free(gabdata); + return gcry_error(GPG_ERR_ENOMEM); + } + + /* Are we the "high" or "low" end of the connection? */ + if ( gcry_mpi_cmp(kp->pub, y) > 0 ) { + sendbyte = 0x01; + rcvbyte = 0x02; + } else { + sendbyte = 0x02; + rcvbyte = 0x01; + } + + /* Calculate the sending encryption key */ + gabdata[0] = sendbyte; + gcry_md_hash_buffer(GCRY_MD_SHA1, hashdata, gabdata, gablen+5); + err = gcry_cipher_open(&(sess->sendenc), GCRY_CIPHER_AES, + GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE); + if (err) goto err; + err = gcry_cipher_setkey(sess->sendenc, hashdata, 16); + if (err) goto err; + + /* Calculate the sending MAC key */ + gcry_md_hash_buffer(GCRY_MD_SHA1, sess->sendmackey, hashdata, 16); + err = gcry_md_open(&(sess->sendmac), GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); + if (err) goto err; + err = gcry_md_setkey(sess->sendmac, sess->sendmackey, 20); + if (err) goto err; + + /* Calculate the receiving encryption key */ + gabdata[0] = rcvbyte; + gcry_md_hash_buffer(GCRY_MD_SHA1, hashdata, gabdata, gablen+5); + err = gcry_cipher_open(&(sess->rcvenc), GCRY_CIPHER_AES, + GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE); + if (err) goto err; + err = gcry_cipher_setkey(sess->rcvenc, hashdata, 16); + if (err) goto err; + + /* Calculate the receiving MAC key (and save it in the DH_sesskeys + * struct, so we can reveal it later) */ + gcry_md_hash_buffer(GCRY_MD_SHA1, sess->rcvmackey, hashdata, 16); + err = gcry_md_open(&(sess->rcvmac), GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); + if (err) goto err; + err = gcry_md_setkey(sess->rcvmac, sess->rcvmackey, 20); + if (err) goto err; + + /* Calculate the extra key (used if applications wish to extract a + * symmetric key for transferring files, or something like that) */ + gabdata[0] = 0xff; + gcry_md_hash_buffer(GCRY_MD_SHA256, sess->extrakey, gabdata, gablen+5); + + gcry_free(gabdata); + gcry_free(hashdata); + return gcry_error(GPG_ERR_NO_ERROR); +err: + otrl_dh_session_free(sess); + gcry_free(gabdata); + gcry_free(hashdata); + return err; +} + +/* + * Compute the secure session id, two encryption keys, and four MAC keys + * given our DH key and their DH public key. + */ +gcry_error_t otrl_dh_compute_v2_auth_keys(const DH_keypair *our_dh, + gcry_mpi_t their_pub, unsigned char *sessionid, size_t *sessionidlenp, + gcry_cipher_hd_t *enc_c, gcry_cipher_hd_t *enc_cp, + gcry_md_hd_t *mac_m1, gcry_md_hd_t *mac_m1p, + gcry_md_hd_t *mac_m2, gcry_md_hd_t *mac_m2p) +{ + gcry_mpi_t s; + size_t slen; + unsigned char *sdata; + unsigned char *hashdata; + unsigned char ctr[16]; + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + + *enc_c = NULL; + *enc_cp = NULL; + *mac_m1 = NULL; + *mac_m1p = NULL; + *mac_m2 = NULL; + *mac_m2p = NULL; + memset(ctr, 0, 16); + + if (our_dh->groupid != DH1536_GROUP_ID) { + /* Invalid group id */ + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Check that their_pub is in range */ + if (gcry_mpi_cmp_ui(their_pub, 2) < 0 || + gcry_mpi_cmp(their_pub, DH1536_MODULUS_MINUS_2) > 0) { + /* Invalid pubkey */ + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Calculate the shared secret MPI */ + s = gcry_mpi_snew(DH1536_MOD_LEN_BITS); + gcry_mpi_powm(s, their_pub, our_dh->priv, DH1536_MODULUS); + + /* Output it in the right format */ + gcry_mpi_print(GCRYMPI_FMT_USG, NULL, 0, &slen, s); + sdata = gcry_malloc_secure(slen + 5); + if (!sdata) { + gcry_mpi_release(s); + return gcry_error(GPG_ERR_ENOMEM); + } + sdata[1] = (slen >> 24) & 0xff; + sdata[2] = (slen >> 16) & 0xff; + sdata[3] = (slen >> 8) & 0xff; + sdata[4] = slen & 0xff; + gcry_mpi_print(GCRYMPI_FMT_USG, sdata+5, slen, NULL, s); + gcry_mpi_release(s); + + /* Calculate the session id */ + hashdata = gcry_malloc_secure(32); + if (!hashdata) { + gcry_free(sdata); + return gcry_error(GPG_ERR_ENOMEM); + } + sdata[0] = 0x00; + gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); + memmove(sessionid, hashdata, 8); + *sessionidlenp = 8; + + /* Calculate the encryption keys */ + sdata[0] = 0x01; + gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); + + err = gcry_cipher_open(enc_c, GCRY_CIPHER_AES, + GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE); + if (err) goto err; + err = gcry_cipher_setkey(*enc_c, hashdata, 16); + if (err) goto err; + err = gcry_cipher_setctr(*enc_c, ctr, 16); + if (err) goto err; + + err = gcry_cipher_open(enc_cp, GCRY_CIPHER_AES, + GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_SECURE); + if (err) goto err; + err = gcry_cipher_setkey(*enc_cp, hashdata+16, 16); + if (err) goto err; + err = gcry_cipher_setctr(*enc_cp, ctr, 16); + if (err) goto err; + + /* Calculate the MAC keys */ + sdata[0] = 0x02; + gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); + err = gcry_md_open(mac_m1, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC); + if (err) goto err; + err = gcry_md_setkey(*mac_m1, hashdata, 32); + if (err) goto err; + + sdata[0] = 0x03; + gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); + err = gcry_md_open(mac_m2, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC); + if (err) goto err; + err = gcry_md_setkey(*mac_m2, hashdata, 32); + if (err) goto err; + + sdata[0] = 0x04; + gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); + err = gcry_md_open(mac_m1p, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC); + if (err) goto err; + err = gcry_md_setkey(*mac_m1p, hashdata, 32); + if (err) goto err; + + sdata[0] = 0x05; + gcry_md_hash_buffer(GCRY_MD_SHA256, hashdata, sdata, slen+5); + err = gcry_md_open(mac_m2p, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC); + if (err) goto err; + err = gcry_md_setkey(*mac_m2p, hashdata, 32); + if (err) goto err; + + gcry_free(sdata); + gcry_free(hashdata); + return gcry_error(GPG_ERR_NO_ERROR); + +err: + gcry_cipher_close(*enc_c); + gcry_cipher_close(*enc_cp); + gcry_md_close(*mac_m1); + gcry_md_close(*mac_m1p); + gcry_md_close(*mac_m2); + gcry_md_close(*mac_m2p); + *enc_c = NULL; + *enc_cp = NULL; + *mac_m1 = NULL; + *mac_m1p = NULL; + *mac_m2 = NULL; + *mac_m2p = NULL; + gcry_free(sdata); + gcry_free(hashdata); + return err; +} + +/* + * Compute the secure session id, given our DH key and their DH public + * key. + */ +gcry_error_t otrl_dh_compute_v1_session_id(const DH_keypair *our_dh, + gcry_mpi_t their_pub, unsigned char *sessionid, size_t *sessionidlenp, + OtrlSessionIdHalf *halfp) +{ + gcry_mpi_t s; + size_t slen; + unsigned char *sdata; + unsigned char *hashdata; + + if (our_dh->groupid != DH1536_GROUP_ID) { + /* Invalid group id */ + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Check that their_pub is in range */ + if (gcry_mpi_cmp_ui(their_pub, 2) < 0 || + gcry_mpi_cmp(their_pub, DH1536_MODULUS_MINUS_2) > 0) { + /* Invalid pubkey */ + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Calculate the shared secret MPI */ + s = gcry_mpi_snew(DH1536_MOD_LEN_BITS); + gcry_mpi_powm(s, their_pub, our_dh->priv, DH1536_MODULUS); + + /* Output it in the right format */ + gcry_mpi_print(GCRYMPI_FMT_USG, NULL, 0, &slen, s); + sdata = gcry_malloc_secure(slen + 5); + if (!sdata) { + gcry_mpi_release(s); + return gcry_error(GPG_ERR_ENOMEM); + } + sdata[1] = (slen >> 24) & 0xff; + sdata[2] = (slen >> 16) & 0xff; + sdata[3] = (slen >> 8) & 0xff; + sdata[4] = slen & 0xff; + gcry_mpi_print(GCRYMPI_FMT_USG, sdata+5, slen, NULL, s); + gcry_mpi_release(s); + + /* Calculate the session id */ + hashdata = gcry_malloc_secure(20); + if (!hashdata) { + gcry_free(sdata); + return gcry_error(GPG_ERR_ENOMEM); + } + sdata[0] = 0x00; + gcry_md_hash_buffer(GCRY_MD_SHA1, hashdata, sdata, slen+5); + memmove(sessionid, hashdata, 20); + *sessionidlenp = 20; + + /* Which half should be bold? */ + if (gcry_mpi_cmp(our_dh->pub, their_pub) > 0) { + *halfp = OTRL_SESSIONID_SECOND_HALF_BOLD; + } else { + *halfp = OTRL_SESSIONID_FIRST_HALF_BOLD; + } + + gcry_free(hashdata); + gcry_free(sdata); + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* + * Deallocate the contents of a DH_sesskeys (but not the DH_sesskeys + * itself) + */ +void otrl_dh_session_free(DH_sesskeys *sess) +{ + gcry_cipher_close(sess->sendenc); + gcry_cipher_close(sess->rcvenc); + gcry_md_close(sess->sendmac); + gcry_md_close(sess->rcvmac); + + otrl_dh_session_blank(sess); +} + +/* + * Blank out the contents of a DH_sesskeys (without releasing it) + */ +void otrl_dh_session_blank(DH_sesskeys *sess) +{ + sess->sendenc = NULL; + sess->sendmac = NULL; + sess->rcvenc = NULL; + sess->rcvmac = NULL; + memset(sess->sendctr, 0, 16); + memset(sess->rcvctr, 0, 16); + memset(sess->sendmackey, 0, 20); + memset(sess->rcvmackey, 0, 20); + sess->sendmacused = 0; + sess->rcvmacused = 0; + memset(sess->extrakey, 0, OTRL_EXTRAKEY_BYTES); +} + +/* Increment the top half of a counter block */ +void otrl_dh_incctr(unsigned char *ctr) +{ + int i; + for (i=8;i;--i) { + if (++ctr[i-1]) break; + } +} + +/* Compare two counter values (8 bytes each). Return 0 if ctr1 == ctr2, + * < 0 if ctr1 < ctr2 (as unsigned 64-bit values), > 0 if ctr1 > ctr2. */ +int otrl_dh_cmpctr(const unsigned char *ctr1, const unsigned char *ctr2) +{ + int i; + for (i=0;i<8;++i) { + int c = ctr1[i] - ctr2[i]; + if (c) return c; + } + return 0; +} diff --git a/comm/third_party/libotr/src/dh.h b/comm/third_party/libotr/src/dh.h new file mode 100644 index 0000000000..742c408042 --- /dev/null +++ b/comm/third_party/libotr/src/dh.h @@ -0,0 +1,123 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Chris Alexander, Willy Lew, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __DH_H__ +#define __DH_H__ + +#define DH1536_GROUP_ID 5 + +typedef struct { + unsigned int groupid; + gcry_mpi_t priv, pub; +} DH_keypair; + +/* Which half of the secure session id should be shown in bold? */ +typedef enum { + OTRL_SESSIONID_FIRST_HALF_BOLD, + OTRL_SESSIONID_SECOND_HALF_BOLD +} OtrlSessionIdHalf; + +#define OTRL_EXTRAKEY_BYTES 32 + +typedef struct { + unsigned char sendctr[16]; + unsigned char rcvctr[16]; + gcry_cipher_hd_t sendenc; + gcry_cipher_hd_t rcvenc; + gcry_md_hd_t sendmac; + unsigned char sendmackey[20]; + int sendmacused; + gcry_md_hd_t rcvmac; + unsigned char rcvmackey[20]; + int rcvmacused; + unsigned char extrakey[OTRL_EXTRAKEY_BYTES]; +} DH_sesskeys; + +/* + * Call this once, at plugin load time. It sets up the modulus and + * generator MPIs. + */ +void otrl_dh_init(void); + +/* + * Initialize the fields of a DH keypair. + */ +void otrl_dh_keypair_init(DH_keypair *kp); + +/* + * Copy a DH_keypair. + */ +void otrl_dh_keypair_copy(DH_keypair *dst, const DH_keypair *src); + +/* + * Deallocate the contents of a DH_keypair (but not the DH_keypair + * itself) + */ +void otrl_dh_keypair_free(DH_keypair *kp); + +/* + * Generate a DH keypair for a specified group. + */ +gcry_error_t otrl_dh_gen_keypair(unsigned int groupid, DH_keypair *kp); + +/* + * Construct session keys from a DH keypair and someone else's public + * key. + */ +gcry_error_t otrl_dh_session(DH_sesskeys *sess, const DH_keypair *kp, + gcry_mpi_t y); + +/* + * Compute the secure session id, two encryption keys, and four MAC keys + * given our DH key and their DH public key. + */ +gcry_error_t otrl_dh_compute_v2_auth_keys(const DH_keypair *our_dh, + gcry_mpi_t their_pub, unsigned char *sessionid, size_t *sessionidlenp, + gcry_cipher_hd_t *enc_c, gcry_cipher_hd_t *enc_cp, + gcry_md_hd_t *mac_m1, gcry_md_hd_t *mac_m1p, + gcry_md_hd_t *mac_m2, gcry_md_hd_t *mac_m2p); + +/* + * Compute the secure session id, given our DH key and their DH public + * key. + */ +gcry_error_t otrl_dh_compute_v1_session_id(const DH_keypair *our_dh, + gcry_mpi_t their_pub, unsigned char *sessionid, size_t *sessionidlenp, + OtrlSessionIdHalf *halfp); + +/* + * Deallocate the contents of a DH_sesskeys (but not the DH_sesskeys + * itself) + */ +void otrl_dh_session_free(DH_sesskeys *sess); + +/* + * Blank out the contents of a DH_sesskeys (without releasing it) + */ +void otrl_dh_session_blank(DH_sesskeys *sess); + +/* Increment the top half of a counter block */ +void otrl_dh_incctr(unsigned char *ctr); + +/* Compare two counter values (8 bytes each). Return 0 if ctr1 == ctr2, + * < 0 if ctr1 < ctr2 (as unsigned 64-bit values), > 0 if ctr1 > ctr2. */ +int otrl_dh_cmpctr(const unsigned char *ctr1, const unsigned char *ctr2); + +#endif diff --git a/comm/third_party/libotr/src/instag.c b/comm/third_party/libotr/src/instag.c new file mode 100644 index 0000000000..cccd94fb6c --- /dev/null +++ b/comm/third_party/libotr/src/instag.c @@ -0,0 +1,277 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2015 Ian Goldberg, Rob Smits, Chris Alexander, + * Willy Lew, Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* system headers */ +#include <stdio.h> +#include <stdlib.h> + +/* libgcrypt headers */ +#include <gcrypt.h> + +/* libotr headers */ +#include "instag.h" +#include "userstate.h" + +/* Forget the given instag. */ +void otrl_instag_forget(OtrlInsTag* instag) { + if (!instag) return; + + if (instag->accountname) free(instag->accountname); + if (instag->protocol) free(instag->protocol); + + /* Re-link the list */ + *(instag->tous) = instag->next; + if (instag->next) { + instag->next->tous = instag->tous; + } + + free(instag); +} + +/* Forget all instags in a given OtrlUserState. */ +void otrl_instag_forget_all(OtrlUserState us) { + while(us->instag_root) { + otrl_instag_forget(us->instag_root); + } +} + +/* Fetch the instance tag from the given OtrlUserState associated with + * the given account */ +OtrlInsTag * otrl_instag_find(OtrlUserState us, const char *accountname, + const char *protocol) +{ + OtrlInsTag *p; + + for(p=us->instag_root; p; p=p->next) { + if (!strcmp(p->accountname, accountname) && + !strcmp(p->protocol, protocol)) { + return p; + } + } + return NULL; +} + +/* Read our instance tag from a file on disk into the given + * OtrlUserState. */ +gcry_error_t otrl_instag_read(OtrlUserState us, const char *filename) +{ + gcry_error_t err; + FILE *instf; + + /* Open the instance tag file. */ + instf = fopen(filename, "rb"); + if (!instf) { + return gcry_error_from_errno(errno); + } + + err = otrl_instag_read_FILEp(us, instf); + fclose(instf); + return err; +} + +/* Read our instance tag from a file on disk into the given + * OtrlUserState. The FILE* must be open for reading. */ +gcry_error_t otrl_instag_read_FILEp(OtrlUserState us, FILE *instf) +{ + if (!instf) return gcry_error(GPG_ERR_NO_ERROR); + + OtrlInsTag *p; + char storeline[1000]; + size_t maxsize = sizeof(storeline); + + while(fgets(storeline, maxsize, instf)) { + char *prevpos; + char *pos; + unsigned int instag = 0; + + p = malloc(sizeof(*p)); + if (!p) { + return gcry_error(GPG_ERR_ENOMEM); + } + + /* Parse the line, which should be of the form: + * accountname\tprotocol\t40_hex_nybbles\n */ + prevpos = storeline; + pos = strchr(prevpos, '\t'); + if (!pos) { + free(p); + continue; + } + *pos = '\0'; + pos++; + p->accountname = malloc(pos - prevpos); + if (!(p->accountname)) { + free(p); + return gcry_error(GPG_ERR_ENOMEM); + } + memmove(p->accountname, prevpos, pos - prevpos); + + prevpos = pos; + pos = strchr(prevpos, '\t'); + if (!pos) { + free(p->accountname); + free(p); + continue; + } + *pos = '\0'; + pos++; + p->protocol = malloc(pos - prevpos); + if (!(p->protocol)) { + free(p->accountname); + free(p); + return gcry_error(GPG_ERR_ENOMEM); + } + memmove(p->protocol, prevpos, pos - prevpos); + + prevpos = pos; + pos = strchr(prevpos, '\r'); + if (!pos) pos = strchr(prevpos, '\n'); + if (!pos) { + free(p->accountname); + free(p->protocol); + free(p); + continue; + } + *pos = '\0'; + pos++; + /* hex str of length 8 */ + if (strlen(prevpos) != 8) { + free(p->accountname); + free(p->protocol); + free(p); + continue; + } + + sscanf(prevpos, "%08x", &instag); + + if (instag < OTRL_MIN_VALID_INSTAG) { + free(p->accountname); + free(p->protocol); + free(p); + continue; + } + p->instag = instag; + + /* Link it up */ + p->next = us->instag_root; + if (p->next) { + p->next->tous = &(p->next); + } + p->tous = &(us->instag_root); + us->instag_root = p; + } + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Generate a new instance tag for the given account and write to file */ +gcry_error_t otrl_instag_generate(OtrlUserState us, const char *filename, + const char *accountname, const char *protocol) +{ + gcry_error_t err; + FILE *instf; + + /* Open the instance tag file. */ + instf = fopen(filename, "wb"); + if (!instf) { + return gcry_error_from_errno(errno); + } + + err = otrl_instag_generate_FILEp(us, instf, accountname, protocol); + fclose(instf); + return err; +} + +/* Return a new valid instance tag */ +otrl_instag_t otrl_instag_get_new() +{ + otrl_instag_t result = 0; + + while(result < OTRL_MIN_VALID_INSTAG) { + otrl_instag_t * instag = (otrl_instag_t *)gcry_random_bytes( + sizeof(otrl_instag_t), GCRY_STRONG_RANDOM); + result = *instag; + gcry_free(instag); + } + + return result; +} + +/* Generate a new instance tag for the given account and write to file + * The FILE* must be open for writing. */ +gcry_error_t otrl_instag_generate_FILEp(OtrlUserState us, FILE *instf, + const char *accountname, const char *protocol) +{ + OtrlInsTag *p; + if (!accountname || !protocol) return gcry_error(GPG_ERR_NO_ERROR); + + p = (OtrlInsTag *)malloc(sizeof(OtrlInsTag)); + p->accountname = strdup(accountname); + p->protocol = strdup(protocol); + + p->instag = otrl_instag_get_new(); + + /* Add to our list in OtrlUserState */ + p->next = us->instag_root; + if (p->next) { + p->next->tous = &(p->next); + } + p->tous = &(us->instag_root); + us->instag_root = p; + + otrl_instag_write_FILEp(us, instf); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Write our instance tags to a file on disk. */ +gcry_error_t otrl_instag_write(OtrlUserState us, const char *filename) +{ + gcry_error_t err; + FILE *instf; + + /* Open the instance tag file. */ + instf = fopen(filename, "wb"); + if (!instf) { + return gcry_error_from_errno(errno); + } + + err = otrl_instag_write_FILEp(us, instf); + fclose(instf); + return err; +} + +/* Write our instance tags to a file on disk. + * The FILE* must be open for writing. */ +gcry_error_t otrl_instag_write_FILEp(OtrlUserState us, FILE *instf) +{ + OtrlInsTag *p; + /* This line should be ignored when read back in, since there are no + tabs. */ + fprintf(instf, "# WARNING! You shouldn't copy this file to another" + " computer. It is unnecessary and can cause problems.\n"); + for(p=us->instag_root; p; p=p->next) { + fprintf(instf, "%s\t%s\t%08x\n", p->accountname, p->protocol, + p->instag); + } + + return gcry_error(GPG_ERR_NO_ERROR); +} + diff --git a/comm/third_party/libotr/src/instag.h b/comm/third_party/libotr/src/instag.h new file mode 100644 index 0000000000..c8aabb324f --- /dev/null +++ b/comm/third_party/libotr/src/instag.h @@ -0,0 +1,89 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Rob Smits, Chris Alexander, + * Willy Lew, Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __INSTAG_H__ +#define __INSTAG_H__ + +#include <stdio.h> +#include <errno.h> + +#define OTRL_INSTAG_MASTER 0 +#define OTRL_INSTAG_BEST 1 /* Most secure, based on: conv status, + * then fingerprint status, then most recent. */ +#define OTRL_INSTAG_RECENT 2 +#define OTRL_INSTAG_RECENT_RECEIVED 3 +#define OTRL_INSTAG_RECENT_SENT 4 + +#define OTRL_MIN_VALID_INSTAG 0x100 /* Instag values below this are reserved + * for meta instags, defined above, */ + +typedef unsigned int otrl_instag_t; + +/* The list of instance tags used for our accounts */ +typedef struct s_OtrlInsTag { + struct s_OtrlInsTag *next; + struct s_OtrlInsTag **tous; + + char *accountname; + char *protocol; + otrl_instag_t instag; +} OtrlInsTag; + +#include "userstate.h" + +/* Forget the given instag. */ +void otrl_instag_forget(OtrlInsTag* instag); + +/* Forget all instags in a given OtrlUserState. */ +void otrl_instag_forget_all(OtrlUserState us); + +/* Fetch the instance tag from the given OtrlUserState associated with + * the given account */ +OtrlInsTag * otrl_instag_find(OtrlUserState us, const char *accountname, + const char *protocol); + +/* Read our instance tag from a file on disk into the given + * OtrlUserState. */ +gcry_error_t otrl_instag_read(OtrlUserState us, const char *filename); + +/* Read our instance tag from a file on disk into the given + * OtrlUserState. The FILE* must be open for reading. */ +gcry_error_t otrl_instag_read_FILEp(OtrlUserState us, FILE *instf); + +/* Return a new valid instance tag */ +otrl_instag_t otrl_instag_get_new(); + +/* Get a new instance tag for the given account and write to file*/ +gcry_error_t otrl_instag_generate(OtrlUserState us, const char *filename, + const char *accountname, const char *protocol); + +/* Get a new instance tag for the given account and write to file + * The FILE* must be open for writing. */ +gcry_error_t otrl_instag_generate_FILEp(OtrlUserState us, FILE *instf, + const char *accountname, const char *protocol); + +/* Write our instance tags to a file on disk. */ +gcry_error_t otrl_instag_write(OtrlUserState us, const char *filename); + +/* Write our instance tags to a file on disk. + * The FILE* must be open for writing. */ +gcry_error_t otrl_instag_write_FILEp(OtrlUserState us, FILE *instf); + +#endif diff --git a/comm/third_party/libotr/src/mem.c b/comm/third_party/libotr/src/mem.c new file mode 100644 index 0000000000..29330ae757 --- /dev/null +++ b/comm/third_party/libotr/src/mem.c @@ -0,0 +1,180 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* Memory allocation routines for libgcrypt. All of the session key + * information gets allocated through here, so we can wipe it out when + * it's free()d. We don't use the built-in secmem functions of + * libgcrypt because you need to declare a fixed amount of it when you + * start up. + * + * Because "secure" and "insecure" allocations from libgcrypt will get + * handled the same way (since we're not going to be running as root, + * and so won't actually have pinned memory), pretend all allocated + * memory (but just from libgcrypt) is requested secure, and wipe it on + * free(). */ + +/* Uncomment the following to add a check that our free() and realloc() only + * get called on things returned from our malloc(). */ +/* #define OTRL_MEM_MAGIC 0x31415926 */ + +/* system headers */ +#ifdef OTRL_MEM_MAGIC +#include <stdio.h> +#endif +#include <stdlib.h> + +/* libgcrypt headers */ +#include <gcrypt.h> + +/* libotr headers */ +#include "mem.h" + +static size_t header_size; + +static void *otrl_mem_malloc(size_t n) +{ + void *p; + size_t new_n = n; + new_n += header_size; + + /* Check for overflow attack */ + if (new_n < n) return NULL; + p = malloc(new_n); + if (p == NULL) return NULL; + + ((size_t *)p)[0] = new_n; /* Includes header size */ +#ifdef OTRL_MEM_MAGIC + ((size_t *)p)[1] = OTRL_MEM_MAGIC; +#endif + + return (void *)((char *)p + header_size); +} + +static int otrl_mem_is_secure(const void *p) +{ + return 1; +} + +static void otrl_mem_free(void *p) +{ + void *real_p = (void *)((char *)p - header_size); + size_t n = ((size_t *)real_p)[0]; +#ifdef OTRL_MEM_MAGIC + if (((size_t *)real_p)[1] != OTRL_MEM_MAGIC) { + fprintf(stderr, "Illegal free!\n"); + return; + } +#endif + + /* Wipe the memory (in the same way the built-in deallocator in + * libgcrypt would) */ + memset(real_p, 0xff, n); + memset(real_p, 0xaa, n); + memset(real_p, 0x55, n); + memset(real_p, 0x00, n); + + free(real_p); +} + +static void *otrl_mem_realloc(void *p, size_t n) +{ + if (p == NULL) { + return otrl_mem_malloc(n); + } else if (n == 0) { + otrl_mem_free(p); + return NULL; + } else { + void *real_p = (void *)((char *)p - header_size); + void *new_p; + size_t old_n = ((size_t *)real_p)[0]; +#ifdef OTRL_MEM_MAGIC + size_t magic = ((size_t *)real_p)[1]; +#endif + size_t new_n = n; + new_n += header_size; + + /* Check for overflow attack */ + if (new_n < n) return NULL; + +#ifdef OTRL_MEM_MAGIC + if (magic != OTRL_MEM_MAGIC) { + fprintf(stderr, "Illegal realloc!\n"); + return NULL; + } +#endif + + if (new_n < old_n) { + /* Overwrite the space we're about to stop using */ + void *p = (void *)((char *)real_p + new_n); + size_t excess = old_n - new_n; + memset(p, 0xff, excess); + memset(p, 0xaa, excess); + memset(p, 0x55, excess); + memset(p, 0x00, excess); + + /* We don't actually need to realloc() */ + new_p = real_p; + } else { + new_p = realloc(real_p, new_n); + if (new_p == NULL) return NULL; + } + + ((size_t *)new_p)[0] = new_n; /* Includes header size */ + return (void *)((char *)new_p + header_size); + } +} + +void otrl_mem_init(void) +{ + header_size = 8; +#ifdef OTRL_MEM_MAGIC + if (header_size < 2*sizeof(size_t)) { + header_size = 2*sizeof(size_t); + } +#else + if (header_size < sizeof(size_t)) { + header_size = sizeof(size_t); + } +#endif + + gcry_set_allocation_handler( + otrl_mem_malloc, + otrl_mem_malloc, + otrl_mem_is_secure, + otrl_mem_realloc, + otrl_mem_free + ); +} + +/* Compare two memory blocks in time dependent on the length of the + * blocks, but not their contents. Returns 1 if they differ, 0 if they + * are the same. */ +int otrl_mem_differ(const unsigned char *buf1, const unsigned char *buf2, + size_t len) +{ + volatile unsigned char diff = 0; + size_t i; + + for (i = 0; i < len; ++i) { + diff |= (buf1[i] ^ buf2[i]); + } + return (diff != 0); +} diff --git a/comm/third_party/libotr/src/mem.h b/comm/third_party/libotr/src/mem.h new file mode 100644 index 0000000000..2baf8f2e9a --- /dev/null +++ b/comm/third_party/libotr/src/mem.h @@ -0,0 +1,35 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __MEM_H__ +#define __MEM_H__ + +#include <stdlib.h> + +void otrl_mem_init(void); + +/* Compare two memory blocks in time dependent on the length of the + * blocks, but not their contents. Returns 1 if they differ, 0 if they + * are the same. */ +int otrl_mem_differ(const unsigned char *buf1, const unsigned char *buf2, + size_t len); + +#endif diff --git a/comm/third_party/libotr/src/message.c b/comm/third_party/libotr/src/message.c new file mode 100644 index 0000000000..c44ce7b8fc --- /dev/null +++ b/comm/third_party/libotr/src/message.c @@ -0,0 +1,2058 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2015 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* system headers */ +#include <stdio.h> +#include <stdlib.h> +#include <time.h> + +/* libgcrypt headers */ +#include <gcrypt.h> + +/* libotr headers */ +#include "privkey.h" +#include "userstate.h" +#include "proto.h" +#include "auth.h" +#include "message.h" +#include "sm.h" +#include "instag.h" + +#if OTRL_DEBUGGING +#include <stdio.h> + +/* If OTRL_DEBUGGING is on, and the user types this string, the current + * context and its siblings will be dumped to stderr. */ +const char *OTRL_DEBUGGING_DEBUGSTR = "?OTR!"; + +void otrl_context_all_dump(FILE *f, OtrlUserState us); +void otrl_context_siblings_dump(FILE *f, const ConnContext *context); +#endif + +/* The API version */ +extern unsigned int otrl_api_version; + +/* How long after sending a packet should we wait to send a heartbeat? */ +#define HEARTBEAT_INTERVAL 60 + +/* How old are messages allowed to be in order to be candidates for + * resending in response to a rekey? */ +#define RESEND_INTERVAL 60 + +/* How long should we wait for the last of the logged-in instances of + * our buddy to respond before marking our private key as a candidate + * for wiping (in seconds)? */ +#define MAX_AKE_WAIT_TIME 60 + +/* How frequently should we check our ConnContexts for wipeable private + * keys (and wipe them) (in seconds)? */ +#define POLL_DEFAULT_INTERVAL 70 + +/* Send a message to the network, fragmenting first if necessary. + * All messages to be sent to the network should go through this + * method immediately before they are sent, ie after encryption. */ +static gcry_error_t fragment_and_send(const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context, const char *message, + OtrlFragmentPolicy fragPolicy, char **returnFragment) +{ + int mms = 0; + + if (message && ops->inject_message) { + int msglen; + + if (ops->max_message_size) { + mms = ops->max_message_size(opdata, context); + } + msglen = strlen(message); + + /* Don't incur overhead of fragmentation unless necessary */ + if(mms != 0 && msglen > mms) { + char **fragments; + gcry_error_t err; + int i; + int headerlen = context->protocol_version == 3 ? 37 : 19; + /* Like ceil(msglen/(mms - headerlen)) */ + int fragment_count = ((msglen - 1) / (mms - headerlen)) + 1; + + err = otrl_proto_fragment_create(mms, fragment_count, &fragments, + context, message); + if (err) { + return err; + } + + /* Determine which fragments to send and which to return + * based on given Fragment Policy. If the first fragment + * should be returned instead of sent, store it. */ + if (fragPolicy == OTRL_FRAGMENT_SEND_ALL_BUT_FIRST) { + *returnFragment = strdup(fragments[0]); + } else { + ops->inject_message(opdata, context->accountname, + context->protocol, context->username, fragments[0]); + } + for (i=1; i<fragment_count-1; i++) { + ops->inject_message(opdata, context->accountname, + context->protocol, context->username, fragments[i]); + } + /* If the last fragment should be stored instead of sent, + * store it */ + if (fragPolicy == OTRL_FRAGMENT_SEND_ALL_BUT_LAST) { + *returnFragment = strdup(fragments[fragment_count-1]); + } else { + ops->inject_message(opdata, context->accountname, + context->protocol, context->username, + fragments[fragment_count-1]); + } + /* Now free all fragment memory */ + otrl_proto_fragment_free(&fragments, fragment_count); + + } else { + /* No fragmentation necessary */ + if (fragPolicy == OTRL_FRAGMENT_SEND_ALL) { + ops->inject_message(opdata, context->accountname, + context->protocol, context->username, message); + } else { + /* Copy and return the entire given message. */ + *returnFragment = strdup(message); + } + } + } + + return gcry_error(GPG_ERR_NO_ERROR); +} + +static void populate_context_instag(OtrlUserState us, const OtrlMessageAppOps + *ops, void *opdata, const char *accountname, const char *protocol, + ConnContext *context) { + OtrlInsTag *p_instag; + + p_instag = otrl_instag_find(us, accountname, protocol); + if ((!p_instag) && ops->create_instag) { + ops->create_instag(opdata, accountname, protocol); + p_instag = otrl_instag_find(us, accountname, protocol); + } + + if (p_instag && p_instag->instag >= OTRL_MIN_VALID_INSTAG) { + context->our_instance = p_instag->instag; + } else { + context->our_instance = otrl_instag_get_new(); + } +} + +/* Deallocate a message allocated by other otrl_message_* routines. */ +void otrl_message_free(char *message) +{ + free(message); +} + +/* Handle a message about to be sent to the network. It is safe to pass + * all messages about to be sent to this routine. add_appdata is a + * function that will be called in the event that a new ConnContext is + * created. It will be passed the data that you supplied, as well as a + * pointer to the new ConnContext. You can use this to add + * application-specific information to the ConnContext using the + * "context->app" field, for example. If you don't need to do this, you + * can pass NULL for the last two arguments of otrl_message_sending. + * + * tlvs is a chain of OtrlTLVs to append to the private message. It is + * usually correct to just pass NULL here. + * + * If non-NULL, ops->convert_msg will be called just before encrypting a + * message. + * + * "instag" specifies the instance tag of the buddy (protocol version 3 only). + * Meta-instances may also be specified (e.g., OTRL_INSTAG_MOST_SECURE). + * If "contextp" is not NULL, it will be set to the ConnContext used for + * sending the message. + * + * If no fragmentation or msg injection is wanted, use OTRL_FRAGMENT_SEND_SKIP + * as the OtrlFragmentPolicy. In this case, this function will assign *messagep + * with the encrypted msg. If the routine returns non-zero, then the library + * tried to encrypt the message, but for some reason failed. DO NOT send the + * message in the clear in that case. If *messagep gets set by the call to + * something non-NULL, then you should replace your message with the contents + * of *messagep, and send that instead. + * + * Other fragmentation policies are OTRL_FRAGMENT_SEND_ALL, + * OTRL_FRAGMENT_SEND_ALL_BUT_LAST, or OTRL_FRAGMENT_SEND_ALL_BUT_FIRST. In + * these cases, the appropriate fragments will be automatically sent. For the + * last two policies, the remaining fragment will be passed in *original_msg. + * + * Call otrl_message_free(*messagep) if you don't need *messagep or when you're + * done with it. */ +gcry_error_t otrl_message_sending(OtrlUserState us, + const OtrlMessageAppOps *ops, + void *opdata, const char *accountname, const char *protocol, + const char *recipient, otrl_instag_t their_instag, + const char *original_msg, OtrlTLV *tlvs, char **messagep, + OtrlFragmentPolicy fragPolicy, ConnContext **contextp, + void (*add_appdata)(void *data, ConnContext *context), + void *data) +{ + ConnContext * context = NULL; + char * msgtosend; + const char * err_msg; + gcry_error_t err_code, err; + OtrlPolicy policy = OTRL_POLICY_DEFAULT; + int context_added = 0; + int convert_called = 0; + char *converted_msg = NULL; + + if (messagep) { + *messagep = NULL; + } + + err = gcry_error(GPG_ERR_NO_ERROR); /* Default to no error */ + + if (contextp) { + *contextp = NULL; + } + + if (!accountname || !protocol || !recipient || + !original_msg || !messagep) { + err = gcry_error(GPG_ERR_INV_VALUE); + goto fragment; + } + + /* See if we have a fingerprint for this user */ + context = otrl_context_find(us, recipient, accountname, protocol, + their_instag, 1, &context_added, add_appdata, data); + + /* Update the context list if we added one */ + if (context_added && ops->update_context_list) { + ops->update_context_list(opdata); + } + + /* Find or generate the instance tag if needed */ + if (!context->our_instance) { + populate_context_instag(us, ops, opdata, accountname, protocol, + context); + } + + if (contextp) { + *contextp = context; + } + + /* Check the policy */ + if (ops->policy) { + policy = ops->policy(opdata, context); + } + + /* Should we go on at all? */ + if ((policy & OTRL_POLICY_VERSION_MASK) == 0) { + err = gcry_error(GPG_ERR_NO_ERROR); + goto fragment; + } + +#if OTRL_DEBUGGING + /* If the user typed the magic debug string, dump this context and + * its siblings. */ + { + const char *debugtag = strstr(original_msg, OTRL_DEBUGGING_DEBUGSTR); + + if (debugtag) { + const char *debugargs = + debugtag + strlen(OTRL_DEBUGGING_DEBUGSTR); + if (debugargs[0] == '!') { /* typed ?OTR!! */ + otrl_context_all_dump(stderr, us); + } else { /* typed ?OTR! without extra command chars */ + otrl_context_siblings_dump(stderr, context); + } + + /* Don't actually send the message */ + *messagep = strdup(""); + if (!(*messagep)) { + err = gcry_error(GPG_ERR_ENOMEM); + } + goto fragment; + } + } +#endif + + /* If this is an OTR Query message, don't encrypt it. */ + if (otrl_proto_message_type(original_msg) == OTRL_MSGTYPE_QUERY) { + /* Replace the "?OTR?" with a custom message */ + char *bettermsg = otrl_proto_default_query_msg(accountname, policy); + if (bettermsg) { + *messagep = bettermsg; + } + context->otr_offer = OFFER_SENT; + err = gcry_error(GPG_ERR_NO_ERROR); + goto fragment; + } + + /* What is the current message disposition? */ + switch(context->msgstate) { + + case OTRL_MSGSTATE_PLAINTEXT: + if ((policy & OTRL_POLICY_REQUIRE_ENCRYPTION)) { + /* We're trying to send an unencrypted message with a policy + * that disallows that. Don't do that, but try to start + * up OTR instead. */ + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_ENCRYPTION_REQUIRED, + context, NULL, gcry_error(GPG_ERR_NO_ERROR)); + } + + context->context_priv->lastmessage = + gcry_malloc_secure(strlen(original_msg) + 1); + if (context->context_priv->lastmessage) { + char *bettermsg = otrl_proto_default_query_msg(accountname, + policy); + strcpy(context->context_priv->lastmessage, original_msg); + context->context_priv->lastsent = time(NULL); + otrl_context_update_recent_child(context, 1); + context->context_priv->may_retransmit = 2; + if (bettermsg) { + *messagep = bettermsg; + context->otr_offer = OFFER_SENT; + } else { + err = gcry_error(GPG_ERR_ENOMEM); + goto fragment; + } + } + } else { + if ((policy & OTRL_POLICY_SEND_WHITESPACE_TAG) && + context->otr_offer != OFFER_REJECTED) { + /* See if this user can speak OTR. Append the + * OTR_MESSAGE_TAG to the plaintext message, and see + * if he responds. */ + size_t msglen = strlen(original_msg); + size_t basetaglen = strlen(OTRL_MESSAGE_TAG_BASE); + size_t v1taglen = (policy & OTRL_POLICY_ALLOW_V1) ? + strlen(OTRL_MESSAGE_TAG_V1) : 0; + size_t v2taglen = (policy & OTRL_POLICY_ALLOW_V2) ? + strlen(OTRL_MESSAGE_TAG_V2) : 0; + size_t v3taglen = (policy & OTRL_POLICY_ALLOW_V3) ? + strlen(OTRL_MESSAGE_TAG_V3) : 0; + char *taggedmsg = malloc(msglen + basetaglen + v1taglen + + v2taglen + v3taglen + 1); + if (taggedmsg) { + strcpy(taggedmsg, original_msg); + strcpy(taggedmsg + msglen, OTRL_MESSAGE_TAG_BASE); + if (v1taglen) { + strcpy(taggedmsg + msglen + basetaglen, + OTRL_MESSAGE_TAG_V1); + } + if (v2taglen) { + strcpy(taggedmsg + msglen + basetaglen + v1taglen, + OTRL_MESSAGE_TAG_V2); + } + if (v3taglen) { + strcpy(taggedmsg + msglen + basetaglen + v1taglen + + v2taglen, OTRL_MESSAGE_TAG_V3); + } + *messagep = taggedmsg; + context->otr_offer = OFFER_SENT; + } + } + } + break; + case OTRL_MSGSTATE_ENCRYPTED: + /* convert the original message if necessary */ + if (ops->convert_msg) { + ops->convert_msg(opdata, context, OTRL_CONVERT_SENDING, + &converted_msg, original_msg); + + if (converted_msg) { + convert_called = 1; + } + } + + /* Create the new, encrypted message */ + if (convert_called) { + err_code = otrl_proto_create_data(&msgtosend, context, + converted_msg, tlvs, 0, NULL); + + if (ops->convert_free) { + ops->convert_free(opdata, context, converted_msg); + converted_msg = NULL; + } + } else { + err_code = otrl_proto_create_data(&msgtosend, context, + original_msg, tlvs, 0, NULL); + } + if (!err_code) { + context->context_priv->lastsent = time(NULL); + otrl_context_update_recent_child(context, 1); + *messagep = msgtosend; + } else { + /* Uh, oh. Whatever we do, *don't* send the message in the + * clear. */ + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_ENCRYPTION_ERROR, + context, NULL, gcry_error(GPG_ERR_NO_ERROR)); + } + if (ops->otr_error_message) { + err_msg = ops->otr_error_message(opdata, context, + OTRL_ERRCODE_ENCRYPTION_ERROR); + *messagep = malloc(strlen(OTR_ERROR_PREFIX) + + strlen(err_msg) + 1); + if (*messagep) { + strcpy(*messagep, OTR_ERROR_PREFIX); + strcat(*messagep, err_msg); + } + if (ops->otr_error_message_free) { + ops->otr_error_message_free(opdata, err_msg); + } + if (!(*messagep)) { + err = gcry_error(GPG_ERR_ENOMEM); + goto fragment; + } + } + } + break; + case OTRL_MSGSTATE_FINISHED: + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, OTRL_MSGEVENT_CONNECTION_ENDED, + context, NULL, gcry_error(GPG_ERR_NO_ERROR)); + } + *messagep = strdup(""); + if (!(*messagep)) { + err = gcry_error(GPG_ERR_ENOMEM); + goto fragment; + } + break; + } + +fragment: + if (fragPolicy == OTRL_FRAGMENT_SEND_SKIP ) { + /* Do not fragment/inject. Default behaviour of libotr3.2.0 */ + return err; + } else { + /* Fragment and send according to policy */ + if (!err && messagep && *messagep) { + if (context) { + char *rmessagep = NULL; + err = fragment_and_send(ops, opdata, context, *messagep, + fragPolicy, &rmessagep); + if (rmessagep) { + /* Free the current message pointer and return back the + * returned fragmented one. */ + free(*messagep); + *messagep = rmessagep; + } + } + } + return err; + } +} + +/* If err == 0, send the last auth message for the given context to the + * appropriate user. Otherwise, display an appripriate error dialog. + * Return the value of err that was passed. */ +static gcry_error_t send_or_error_auth(const OtrlMessageAppOps *ops, + void *opdata, gcry_error_t err, ConnContext *context, + OtrlUserState us) +{ + if (!err) { + const char *msg = context->auth.lastauthmsg; + if (msg && *msg) { + fragment_and_send(ops, opdata, context, msg, + OTRL_FRAGMENT_SEND_ALL, NULL); + time_t now = time(NULL); + /* Update the "last sent" fields, unless this is a version 3 + * message typing to update the master context (as happens + * when sending a v3 COMMIT message, for example). */ + if (context != context->m_context || + context->auth.protocol_version != 3) { + context->context_priv->lastsent = now; + otrl_context_update_recent_child(context, 1); + } + + /* If this is a master context, and we're sending a v3 COMMIT + * message, update the commit_sent_time timestamp, so we can + * expire it. */ + if (context == context->m_context && + context->auth.authstate == OTRL_AUTHSTATE_AWAITING_DHKEY && + context->auth.protocol_version == 3) { + context->auth.commit_sent_time = now; + /* If there's not already a timer running to clean up + * this private key, try to start one. */ + if (us->timer_running == 0 && ops && ops->timer_control) { + ops->timer_control(opdata, POLL_DEFAULT_INTERVAL); + us->timer_running = 1; + } + } + } + } else { + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, OTRL_MSGEVENT_SETUP_ERROR, + context, NULL, err); + } + } + return err; +} + +typedef struct { + int gone_encrypted; + OtrlUserState us; + const OtrlMessageAppOps *ops; + void *opdata; + ConnContext *context; + int ignore_message; + char **messagep; +} EncrData; + +static gcry_error_t go_encrypted(const OtrlAuthInfo *auth, void *asdata) +{ + EncrData *edata = asdata; + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + Fingerprint *found_print = NULL; + int fprint_added = 0; + OtrlMessageState oldstate = edata->context->msgstate; + Fingerprint *oldprint = edata->context->active_fingerprint; + + /* See if we're talking to ourselves */ + if (!gcry_mpi_cmp(auth->their_pub, auth->our_dh.pub)) { + /* Yes, we are. */ + if (edata->ops->handle_msg_event) { + edata->ops->handle_msg_event(edata->opdata, + OTRL_MSGEVENT_MSG_REFLECTED, edata->context, + NULL, gcry_error(GPG_ERR_NO_ERROR)); + } + edata->ignore_message = 1; + return gcry_error(GPG_ERR_NO_ERROR); + } + + found_print = otrl_context_find_fingerprint(edata->context, + edata->context->auth.their_fingerprint, 1, &fprint_added); + + if (fprint_added) { + /* Inform the user of the new fingerprint */ + if (edata->ops->new_fingerprint) { + edata->ops->new_fingerprint(edata->opdata, edata->us, + edata->context->accountname, edata->context->protocol, + edata->context->username, + edata->context->auth.their_fingerprint); + } + /* Arrange that the new fingerprint be written to disk */ + if (edata->ops->write_fingerprints) { + edata->ops->write_fingerprints(edata->opdata); + } + } + + /* Is this a new session or just a refresh of an existing one? */ + if (edata->context->msgstate == OTRL_MSGSTATE_ENCRYPTED && + oldprint == found_print && + edata->context->context_priv->our_keyid - 1 == + edata->context->auth.our_keyid && + !gcry_mpi_cmp(edata->context->context_priv->our_old_dh_key.pub, + edata->context->auth.our_dh.pub) && + ((edata->context->context_priv->their_keyid > 0 && + edata->context->context_priv->their_keyid == + edata->context->auth.their_keyid && + !gcry_mpi_cmp(edata->context->context_priv->their_y, + edata->context->auth.their_pub)) || + (edata->context->context_priv->their_keyid > 1 && + edata->context->context_priv->their_keyid - 1 == + edata->context->auth.their_keyid && + edata->context->context_priv->their_old_y != NULL && + !gcry_mpi_cmp(edata->context->context_priv->their_old_y, + edata->context->auth.their_pub)))) { + /* This is just a refresh of the existing session. */ + if (edata->ops->still_secure) { + edata->ops->still_secure(edata->opdata, edata->context, + edata->context->auth.initiated); + } + edata->ignore_message = 1; + return gcry_error(GPG_ERR_NO_ERROR); + } + + /* Copy the information from the auth into the context */ + memmove(edata->context->sessionid, + edata->context->auth.secure_session_id, 20); + edata->context->sessionid_len = + edata->context->auth.secure_session_id_len; + edata->context->sessionid_half = + edata->context->auth.session_id_half; + edata->context->protocol_version = + edata->context->auth.protocol_version; + + edata->context->context_priv->their_keyid = + edata->context->auth.their_keyid; + gcry_mpi_release(edata->context->context_priv->their_y); + gcry_mpi_release(edata->context->context_priv->their_old_y); + edata->context->context_priv->their_y = + gcry_mpi_copy(edata->context->auth.their_pub); + edata->context->context_priv->their_old_y = NULL; + + if (edata->context->context_priv->our_keyid - 1 != + edata->context->auth.our_keyid || + gcry_mpi_cmp(edata->context->context_priv->our_old_dh_key.pub, + edata->context->auth.our_dh.pub)) { + otrl_dh_keypair_free(&(edata->context->context_priv->our_dh_key)); + otrl_dh_keypair_free(&(edata->context->context_priv->our_old_dh_key)); + otrl_dh_keypair_copy(&(edata->context->context_priv->our_old_dh_key), + &(edata->context->auth.our_dh)); + otrl_dh_gen_keypair( + edata->context->context_priv->our_old_dh_key.groupid, + &(edata->context->context_priv->our_dh_key)); + edata->context->context_priv->our_keyid = edata->context->auth.our_keyid + + 1; + } + + /* Create the session keys from the DH keys */ + otrl_dh_session_free(&(edata->context->context_priv->sesskeys[0][0])); + err = otrl_dh_session(&(edata->context->context_priv->sesskeys[0][0]), + &(edata->context->context_priv->our_dh_key), + edata->context->context_priv->their_y); + if (err) return err; + otrl_dh_session_free(&(edata->context->context_priv->sesskeys[1][0])); + err = otrl_dh_session(&(edata->context->context_priv->sesskeys[1][0]), + &(edata->context->context_priv->our_old_dh_key), + edata->context->context_priv->their_y); + if (err) return err; + + edata->context->context_priv->generation++; + edata->context->active_fingerprint = found_print; + edata->context->msgstate = OTRL_MSGSTATE_ENCRYPTED; + + if (edata->ops->update_context_list) { + edata->ops->update_context_list(edata->opdata); + } + if (oldstate == OTRL_MSGSTATE_ENCRYPTED && oldprint == found_print) { + if (edata->ops->still_secure) { + edata->ops->still_secure(edata->opdata, edata->context, + edata->context->auth.initiated); + } + } else { + if (edata->ops->gone_secure) { + edata->ops->gone_secure(edata->opdata, edata->context); + } + } + + edata->gone_encrypted = 1; + + return gpg_error(GPG_ERR_NO_ERROR); +} + +static void maybe_resend(EncrData *edata) +{ + gcry_error_t err; + time_t now; + + if (!edata->gone_encrypted) return; + + /* See if there's a message we sent recently that should be resent. */ + now = time(NULL); + if (edata->context->context_priv->lastmessage != NULL && + edata->context->context_priv->may_retransmit && + edata->context->context_priv->lastsent >= (now - RESEND_INTERVAL)) { + char *resendmsg; + char *msg_to_send; + int resending = (edata->context->context_priv->may_retransmit == 1); + + /* Initialize msg_to_send */ + if (resending) { + const char *resent_prefix; + int used_ops_resentmp = 1; + resent_prefix = edata->ops->resent_msg_prefix ? + edata->ops->resent_msg_prefix(edata->opdata, + edata->context) : NULL; + if (!resent_prefix) { + resent_prefix = "[resent]"; /* Assign default prefix */ + used_ops_resentmp = 0; + } + msg_to_send = malloc( + strlen(edata->context->context_priv->lastmessage) + + strlen(resent_prefix) + 2); + if (msg_to_send) { + strcpy(msg_to_send, resent_prefix); + strcat(msg_to_send, " "); + strcat(msg_to_send, edata->context->context_priv->lastmessage); + } else { + return; /* Out of memory; don't try to resend */ + } + if (used_ops_resentmp) { + edata->ops->resent_msg_prefix_free(edata->opdata, + resent_prefix); + } + } else { + msg_to_send = edata->context->context_priv->lastmessage; + } + + /* Re-encrypt the message with the new keys */ + err = otrl_proto_create_data(&resendmsg, + edata->context, msg_to_send, NULL, 0, NULL); + if (resending) { + free(msg_to_send); + } + if (!err) { + /* Resend the message */ + fragment_and_send(edata->ops, edata->opdata, edata->context, + resendmsg, OTRL_FRAGMENT_SEND_ALL, NULL); + free(resendmsg); + edata->context->context_priv->lastsent = now; + otrl_context_update_recent_child(edata->context, 1); + if (resending) { + /* We're not sending it for the first time; let the user + * know we resent it */ + if (edata->ops->handle_msg_event) { + edata->ops->handle_msg_event(edata->opdata, + OTRL_MSGEVENT_MSG_RESENT, edata->context, + NULL, gcry_error(GPG_ERR_NO_ERROR)); + } + } + edata->ignore_message = 1; + } + } +} + +/* Set the trust level based on the result of the SMP */ +static void set_smp_trust(const OtrlMessageAppOps *ops, void *opdata, + ConnContext *context, int trusted) +{ + otrl_context_set_trust(context->active_fingerprint, trusted ? "smp" : ""); + + /* Write the new info to disk, redraw the ui, and redraw the + * OTR buttons. */ + if (ops->write_fingerprints) { + ops->write_fingerprints(opdata); + } +} + +static void init_respond_smp(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context, const char *question, + const unsigned char *secret, size_t secretlen, int initiating) +{ + unsigned char *smpmsg = NULL; + int smpmsglen; + unsigned char combined_secret[SM_DIGEST_SIZE]; + gcry_error_t err; + unsigned char our_fp[20]; + unsigned char *combined_buf; + size_t combined_buf_len; + OtrlTLV *sendtlv; + char *sendsmp = NULL; + + if (!context || context->msgstate != OTRL_MSGSTATE_ENCRYPTED) return; + + /* + * Construct the combined secret as a SHA256 hash of: + * Version byte (0x01), Initiator fingerprint (20 bytes), + * responder fingerprint (20 bytes), secure session id, input secret + */ + otrl_privkey_fingerprint_raw(us, our_fp, context->accountname, + context->protocol); + + combined_buf_len = 41 + context->sessionid_len + secretlen; + combined_buf = malloc(combined_buf_len); + combined_buf[0] = 0x01; + if (initiating) { + memmove(combined_buf + 1, our_fp, 20); + memmove(combined_buf + 21, + context->active_fingerprint->fingerprint, 20); + } else { + memmove(combined_buf + 1, + context->active_fingerprint->fingerprint, 20); + memmove(combined_buf + 21, our_fp, 20); + } + memmove(combined_buf + 41, context->sessionid, + context->sessionid_len); + memmove(combined_buf + 41 + context->sessionid_len, + secret, secretlen); + gcry_md_hash_buffer(SM_HASH_ALGORITHM, combined_secret, combined_buf, + combined_buf_len); + free(combined_buf); + + if (initiating) { + otrl_sm_step1(context->smstate, combined_secret, SM_DIGEST_SIZE, + &smpmsg, &smpmsglen); + } else { + otrl_sm_step2b(context->smstate, combined_secret, SM_DIGEST_SIZE, + &smpmsg, &smpmsglen); + } + + /* If we've got a question, attach it to the smpmsg */ + if (question != NULL) { + size_t qlen = strlen(question); + unsigned char *qsmpmsg = malloc(qlen + 1 + smpmsglen); + if (!qsmpmsg) { + free(smpmsg); + return; + } + strcpy((char *)qsmpmsg, question); + memmove(qsmpmsg + qlen + 1, smpmsg, smpmsglen); + free(smpmsg); + smpmsg = qsmpmsg; + smpmsglen += qlen + 1; + } + + /* Send msg with next smp msg content */ + sendtlv = otrl_tlv_new(initiating ? + (question != NULL ? OTRL_TLV_SMP1Q : OTRL_TLV_SMP1) + : OTRL_TLV_SMP2, + smpmsglen, smpmsg); + err = otrl_proto_create_data(&sendsmp, context, "", sendtlv, + OTRL_MSGFLAGS_IGNORE_UNREADABLE, NULL); + if (!err) { + /* Send it, and set the next expected message to the + * logical response */ + err = fragment_and_send(ops, opdata, context, + sendsmp, OTRL_FRAGMENT_SEND_ALL, NULL); + context->smstate->nextExpected = + initiating ? OTRL_SMP_EXPECT2 : OTRL_SMP_EXPECT3; + } + free(sendsmp); + otrl_tlv_free(sendtlv); + free(smpmsg); +} + +/* Initiate the Socialist Millionaires' Protocol */ +void otrl_message_initiate_smp(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context, const unsigned char *secret, + size_t secretlen) +{ + init_respond_smp(us, ops, opdata, context, NULL, secret, secretlen, 1); +} + +/* Initiate the Socialist Millionaires' Protocol and send a prompt + * question to the buddy */ +void otrl_message_initiate_smp_q(OtrlUserState us, + const OtrlMessageAppOps *ops, void *opdata, ConnContext *context, + const char *question, const unsigned char *secret, size_t secretlen) +{ + init_respond_smp(us, ops, opdata, context, question, secret, secretlen, 1); +} + +/* Respond to a buddy initiating the Socialist Millionaires' Protocol */ +void otrl_message_respond_smp(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context, const unsigned char *secret, + size_t secretlen) +{ + init_respond_smp(us, ops, opdata, context, NULL, secret, secretlen, 0); +} + +/* Abort the SMP. Called when an unexpected SMP message breaks the + * normal flow. */ +void otrl_message_abort_smp(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context) +{ + OtrlTLV *sendtlv = otrl_tlv_new(OTRL_TLV_SMP_ABORT, 0, + (const unsigned char *)""); + char *sendsmp = NULL; + gcry_error_t err; + + context->smstate->nextExpected = OTRL_SMP_EXPECT1; + + err = otrl_proto_create_data(&sendsmp, + context, "", sendtlv, + OTRL_MSGFLAGS_IGNORE_UNREADABLE, NULL); + if (!err) { + /* Send the abort signal so our buddy knows we've stopped */ + err = fragment_and_send(ops, opdata, context, + sendsmp, OTRL_FRAGMENT_SEND_ALL, NULL); + } + free(sendsmp); + otrl_tlv_free(sendtlv); +} + +static void message_malformed(const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context) { + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, OTRL_MSGEVENT_RCVDMSG_MALFORMED, context, + NULL, gcry_error(GPG_ERR_NO_ERROR)); + } + + if (ops->inject_message && ops->otr_error_message) { + const char *err_msg = ops->otr_error_message(opdata, context, + OTRL_ERRCODE_MSG_MALFORMED); + + if (err_msg) { + char *buf = malloc(strlen(OTR_ERROR_PREFIX) + strlen(err_msg) + 1); + + if (buf) { + strcpy(buf, OTR_ERROR_PREFIX); + strcat(buf, err_msg); + ops->inject_message(opdata, context->accountname, + context->protocol, context->username, buf); + free(buf); + } + + if (ops->otr_error_message_free) { + ops->otr_error_message_free(opdata, err_msg); + } + } + } +} + + +/* Handle a message just received from the network. It is safe to pass + * all received messages to this routine. add_appdata is a function + * that will be called in the event that a new ConnContext is created. + * It will be passed the data that you supplied, as well as + * a pointer to the new ConnContext. You can use this to add + * application-specific information to the ConnContext using the + * "context->app" field, for example. If you don't need to do this, you + * can pass NULL for the last two arguments of otrl_message_receiving. + * + * If non-NULL, ops->convert_msg will be called after a data message is + * decrypted. + * + * If "contextp" is not NULL, it will be set to the ConnContext used for + * receiving the message. + * + * If otrl_message_receiving returns 1, then the message you received + * was an internal protocol message, and no message should be delivered + * to the user. + * + * If it returns 0, then check if *messagep was set to non-NULL. If + * so, replace the received message with the contents of *messagep, and + * deliver that to the user instead. You must call + * otrl_message_free(*messagep) when you're done with it. If tlvsp is + * non-NULL, *tlvsp will be set to a chain of any TLVs that were + * transmitted along with this message. You must call + * otrl_tlv_free(*tlvsp) when you're done with those. + * + * If otrl_message_receiving returns 0 and *messagep is NULL, then this + * was an ordinary, non-OTR message, which should just be delivered to + * the user without modification. */ +int otrl_message_receiving(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, const char *accountname, const char *protocol, + const char *sender, const char *message, char **newmessagep, + OtrlTLV **tlvsp, ConnContext **contextp, + void (*add_appdata)(void *data, ConnContext *context), + void *data) +{ + ConnContext *context, *m_context, *best_context; + OtrlMessageType msgtype; + int context_added = 0; + OtrlPolicy policy = OTRL_POLICY_DEFAULT; + char *unfragmessage = NULL, *otrtag = NULL; + EncrData edata; + otrl_instag_t our_instance = 0, their_instance = 0; + int version; + gcry_error_t err; + + if (!accountname || !protocol || !sender || !message || !newmessagep) + return 0; + + *newmessagep = NULL; + if (tlvsp) *tlvsp = NULL; + + if (contextp) { + *contextp = NULL; + } + + /* Find the master context and state with this correspondent */ + m_context = otrl_context_find(us, sender, accountname, + protocol, OTRL_INSTAG_MASTER, 1, &context_added, add_appdata, data); + context = m_context; + + /* Update the context list if we added one */ + if (context_added && ops->update_context_list) { + ops->update_context_list(opdata); + } + + best_context = otrl_context_find(us, sender, accountname, + protocol, OTRL_INSTAG_BEST, 0, NULL, add_appdata, data); + + /* Find or generate the instance tag if needed */ + if (!context->our_instance) { + populate_context_instag(us, ops, opdata, accountname, protocol, + context); + } + + + /* Check the policy */ + if (ops->policy) { + policy = ops->policy(opdata, context); + } + + /* Should we go on at all? */ + if ((policy & OTRL_POLICY_VERSION_MASK) == 0) { + return 0; + } + + otrtag = strstr(message, "?OTR"); + if (otrtag) { + /* See if we have a V3 fragment. The '4' in the next line is + * strlen("?OTR"). otrtag[4] is the character immediately after + * the "?OTR", and is guaranteed to exist, because in the worst + * case, it is the NUL terminating 'message'. */ + if (otrtag[4] == '|') { + /* Get the instance tag from fragment header*/ + sscanf(otrtag, "?OTR|%x|%x,", &their_instance, &our_instance); + /* Ignore message if it is intended for a different instance */ + if (our_instance && context->our_instance != our_instance) { + + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_RCVDMSG_FOR_OTHER_INSTANCE, + m_context, NULL, gcry_error(GPG_ERR_NO_ERROR)); + } + return 1; + } + /* Get the context for this instance */ + if (their_instance >= OTRL_MIN_VALID_INSTAG) { + context = otrl_context_find(us, sender, accountname, + protocol, their_instance, 1, &context_added, + add_appdata, data); + } else { + message_malformed(ops, opdata, context); + return 1; + } + } + switch(otrl_proto_fragment_accumulate(&unfragmessage, + context, message)) { + case OTRL_FRAGMENT_UNFRAGMENTED: + /* Do nothing */ + break; + case OTRL_FRAGMENT_INCOMPLETE: + /* We've accumulated this fragment, but we don't have a + * complete message yet */ + return 1; + case OTRL_FRAGMENT_COMPLETE: + /* We've got a new complete message, in unfragmessage. */ + message = unfragmessage; + otrtag = strstr(message, "?OTR"); + break; + } + } + + /* What type of message is it? Note that this just checks the + * header; it's not necessarily a _valid_ message of this type. */ + msgtype = otrl_proto_message_type(message); + version = otrl_proto_message_version(message); + + /* See if they responded to our OTR offer */ + if ((policy & OTRL_POLICY_SEND_WHITESPACE_TAG)) { + if (msgtype != OTRL_MSGTYPE_NOTOTR) { + context->otr_offer = OFFER_ACCEPTED; + } else if (context->otr_offer == OFFER_SENT) { + context->otr_offer = OFFER_REJECTED; + } + } + + /* Check that this version is allowed by the policy */ + if (((version == 3) && !(policy & OTRL_POLICY_ALLOW_V3)) + || ((version == 2) && !(policy & OTRL_POLICY_ALLOW_V2)) + || ((version == 1) && !(policy & OTRL_POLICY_ALLOW_V1))) { + edata.ignore_message = 1; + goto end; + } + /* Check the to and from instance tags */ + if (version == 3) { + err = gcry_error(GPG_ERR_INV_VALUE); + if (otrtag) { + err = otrl_proto_instance(otrtag, &their_instance, &our_instance); + } + if (!err) { + if ((msgtype == OTRL_MSGTYPE_DH_COMMIT && our_instance && + context->our_instance != our_instance) || + (msgtype != OTRL_MSGTYPE_DH_COMMIT && + context->our_instance != our_instance)) { + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_RCVDMSG_FOR_OTHER_INSTANCE, + m_context, NULL, gcry_error(GPG_ERR_NO_ERROR)); + } + /* ignore message intended for a different instance */ + edata.ignore_message = 1; + goto end; + } + + if (their_instance >= OTRL_MIN_VALID_INSTAG) { + context = otrl_context_find(us, sender, accountname, + protocol, their_instance, 1, &context_added, + add_appdata, data); + } + } + + if (err || their_instance < OTRL_MIN_VALID_INSTAG) { + message_malformed(ops, opdata, context); + edata.ignore_message = 1; + goto end; + } + + if (context_added) { + /* Context added because of new instance (either here or when + * accumulating fragments */ + /* Copy information from m_context to the new instance context */ + context->auth.protocol_version = 3; + context->protocol_version = 3; + context->msgstate = m_context->msgstate; + + if (m_context->context_priv->may_retransmit) { + gcry_free(context->context_priv->lastmessage); + context->context_priv->lastmessage = m_context->context_priv->lastmessage; + m_context->context_priv->lastmessage = NULL; + context->context_priv->may_retransmit = m_context->context_priv->may_retransmit; + m_context->context_priv->may_retransmit = 0; + } + + if (msgtype == OTRL_MSGTYPE_DH_KEY) { + otrl_auth_copy_on_key(&(m_context->auth), &(context->auth)); + } else if (msgtype != OTRL_MSGTYPE_DH_COMMIT) { + edata.ignore_message = 1; + goto end; + } + + /* Update the context list */ + if (ops->update_context_list) { + ops->update_context_list(opdata); + } + } else if (m_context != context) { + /* Switching from m_context to existing instance context */ + if (msgtype == OTRL_MSGTYPE_DH_KEY && m_context->auth.authstate + == OTRL_AUTHSTATE_AWAITING_DHKEY && + !(context->auth.authstate == + OTRL_AUTHSTATE_AWAITING_DHKEY)) { + context->msgstate = m_context->msgstate; + context->auth.protocol_version = 3; + context->protocol_version = 3; + otrl_auth_copy_on_key(&(m_context->auth), &(context->auth)); + } + } + } + + if (contextp) { + *contextp = context; + } + + /* update time of last received message */ + context->context_priv->lastrecv = time(NULL); + otrl_context_update_recent_child(context, 0); + + edata.gone_encrypted = 0; + edata.us = us; + edata.context = context; + edata.ops = ops; + edata.opdata = opdata; + edata.ignore_message = -1; + edata.messagep = newmessagep; + + switch(msgtype) { + unsigned int bestversion; + const char *startwhite, *endwhite; + DH_keypair *our_dh; + unsigned int our_keyid; + OtrlPrivKey *privkey; + int haveauthmsg; + + case OTRL_MSGTYPE_QUERY: + /* See if we should use an existing DH keypair, or generate + * a fresh one. */ + if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED) { + our_dh = &(context->context_priv->our_old_dh_key); + our_keyid = context->context_priv->our_keyid - 1; + } else { + our_dh = NULL; + our_keyid = 0; + } + + /* Find the best version of OTR that we both speak */ + switch(otrl_proto_query_bestversion(message, policy)) { + case 3: + err = otrl_auth_start_v23(&(context->auth), 3); + send_or_error_auth(ops, opdata, err, context, us); + break; + case 2: + err = otrl_auth_start_v23(&(context->auth), 2); + send_or_error_auth(ops, opdata, err, context, us); + break; + case 1: + /* Get our private key */ + privkey = otrl_privkey_find(us, context->accountname, + context->protocol); + if (privkey == NULL) { + /* We've got no private key! */ + if (ops->create_privkey) { + ops->create_privkey(opdata, context->accountname, + context->protocol); + privkey = otrl_privkey_find(us, + context->accountname, context->protocol); + } + } + if (privkey) { + err = otrl_auth_start_v1(&(context->auth), our_dh, + our_keyid, privkey); + send_or_error_auth(ops, opdata, err, context, us); + } + break; + default: + /* Just ignore this message */ + break; + } + /* Don't display the Query message to the user. */ + if (edata.ignore_message == -1) edata.ignore_message = 1; + break; + + case OTRL_MSGTYPE_DH_COMMIT: + err = otrl_auth_handle_commit(&(context->auth), otrtag, version); + send_or_error_auth(ops, opdata, err, context, us); + + if (edata.ignore_message == -1) edata.ignore_message = 1; + break; + + case OTRL_MSGTYPE_DH_KEY: + /* Get our private key */ + privkey = otrl_privkey_find(us, context->accountname, + context->protocol); + if (privkey == NULL) { + /* We've got no private key! */ + if (ops->create_privkey) { + ops->create_privkey(opdata, context->accountname, + context->protocol); + privkey = otrl_privkey_find(us, + context->accountname, context->protocol); + } + } + if (privkey) { + err = otrl_auth_handle_key(&(context->auth), otrtag, + &haveauthmsg, privkey); + if (err || haveauthmsg) { + send_or_error_auth(ops, opdata, err, context, us); + } + } + + if (edata.ignore_message == -1) edata.ignore_message = 1; + break; + + case OTRL_MSGTYPE_REVEALSIG: + /* Get our private key */ + privkey = otrl_privkey_find(us, context->accountname, + context->protocol); + if (privkey == NULL) { + /* We've got no private key! */ + if (ops->create_privkey) { + ops->create_privkey(opdata, context->accountname, + context->protocol); + privkey = otrl_privkey_find(us, + context->accountname, context->protocol); + } + } + if (privkey) { + err = otrl_auth_handle_revealsig(&(context->auth), + otrtag, &haveauthmsg, privkey, go_encrypted, + &edata); + if (err || haveauthmsg) { + send_or_error_auth(ops, opdata, err, context, us); + maybe_resend(&edata); + } + } + + if (edata.ignore_message == -1) edata.ignore_message = 1; + break; + + case OTRL_MSGTYPE_SIGNATURE: + err = otrl_auth_handle_signature(&(context->auth), + otrtag, &haveauthmsg, go_encrypted, &edata); + if (err || haveauthmsg) { + send_or_error_auth(ops, opdata, err, context, us); + maybe_resend(&edata); + } + + if (edata.ignore_message == -1) edata.ignore_message = 1; + break; + + case OTRL_MSGTYPE_V1_KEYEXCH: + /* See if we should use an existing DH keypair, or generate + * a fresh one. */ + if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED) { + our_dh = &(context->context_priv->our_old_dh_key); + our_keyid = context->context_priv->our_keyid - 1; + } else { + our_dh = NULL; + our_keyid = 0; + } + + /* Get our private key */ + privkey = otrl_privkey_find(us, context->accountname, + context->protocol); + if (privkey == NULL) { + /* We've got no private key! */ + if (ops->create_privkey) { + ops->create_privkey(opdata, context->accountname, + context->protocol); + privkey = otrl_privkey_find(us, context->accountname, + context->protocol); + } + } + if (privkey) { + err = otrl_auth_handle_v1_key_exchange(&(context->auth), + message, &haveauthmsg, privkey, our_dh, our_keyid, + go_encrypted, &edata); + if (err || haveauthmsg) { + send_or_error_auth(ops, opdata, err, context, us); + maybe_resend(&edata); + } + } + + if (edata.ignore_message == -1) edata.ignore_message = 1; + break; + + case OTRL_MSGTYPE_DATA: + switch(context->msgstate) { + gcry_error_t err; + OtrlTLV *tlvs, *tlv; + char *plaintext; + char *buf; + const char *err_msg; + unsigned char *extrakey; + unsigned char flags; + NextExpectedSMP nextMsg; + + case OTRL_MSGSTATE_PLAINTEXT: + case OTRL_MSGSTATE_FINISHED: + /* See if we're supposed to ignore this message in + * the event it's unreadable. */ + err = otrl_proto_data_read_flags(message, &flags); + if ((flags & OTRL_MSGFLAGS_IGNORE_UNREADABLE)) { + edata.ignore_message = 1; + break; + } + + if(best_context && best_context != context && + best_context->msgstate == OTRL_MSGSTATE_ENCRYPTED) { + + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_RCVDMSG_FOR_OTHER_INSTANCE, + m_context, NULL, + gcry_error(GPG_ERR_NO_ERROR)); + } + } else if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_RCVDMSG_NOT_IN_PRIVATE, + context, NULL, + gcry_error(GPG_ERR_NO_ERROR)); + } + edata.ignore_message = 1; + + /* We don't actually want to send anything in this case, + since this could just be a message intended for another + v2 instance. We still notify the local user though */ + break; + + case OTRL_MSGSTATE_ENCRYPTED: + extrakey = gcry_malloc_secure(OTRL_EXTRAKEY_BYTES); + err = otrl_proto_accept_data(&plaintext, &tlvs, context, + message, &flags, extrakey); + if (err) { + int is_conflict = + (gpg_err_code(err) == GPG_ERR_CONFLICT); + if ((flags & OTRL_MSGFLAGS_IGNORE_UNREADABLE)) { + edata.ignore_message = 1; + break; + } + if (is_conflict) { + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_RCVDMSG_UNREADABLE, + context, NULL, + gcry_error(GPG_ERR_NO_ERROR)); + } + } else { + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_RCVDMSG_MALFORMED, + context, NULL, + gcry_error(GPG_ERR_NO_ERROR)); + } + } + if (ops->inject_message && ops->otr_error_message) { + err_msg = ops->otr_error_message(opdata, + context, + is_conflict ? + OTRL_ERRCODE_MSG_UNREADABLE : + OTRL_ERRCODE_MSG_MALFORMED); + if (err_msg) { + buf = malloc(strlen(OTR_ERROR_PREFIX) + + strlen(err_msg) + 1); + if (buf) { + strcpy(buf, OTR_ERROR_PREFIX); + strcat(buf, err_msg); + ops->inject_message(opdata, + accountname, protocol, + sender, buf); + free(buf); + } + } + if (ops->otr_error_message_free) { + ops->otr_error_message_free(opdata, + err_msg); + } + } + edata.ignore_message = 1; + break; + } + + /* If the other side told us he's disconnected his + * private connection, make a note of that so we + * don't try sending anything else to him. */ + if (otrl_tlv_find(tlvs, OTRL_TLV_DISCONNECTED)) { + otrl_context_force_finished(context); + } + + /* If the other side told us to use the current + * extra symmetric key, let the application know. */ + tlv = otrl_tlv_find(tlvs, OTRL_TLV_SYMKEY); + if (tlv && otrl_api_version >= 0x040000) { + if (ops->received_symkey && tlv->len >= 4) { + unsigned char *bufp = tlv->data; + unsigned int use = + (bufp[0] << 24) | (bufp[1] << 16) | + (bufp[2] << 8) | bufp[3]; + ops->received_symkey(opdata, context, use, + bufp+4, tlv->len - 4, extrakey); + } + } + gcry_free(extrakey); + extrakey = NULL; + + /* If TLVs contain SMP data, process it */ + nextMsg = context->smstate->nextExpected; + + tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP1Q); + if (tlv) { + if (nextMsg == OTRL_SMP_EXPECT1 && tlv->len > 0) { + /* We can only do the verification half now. + * We must wait for the secret to be entered + * to continue. */ + char *question = (char *)tlv->data; + char *qend = memchr(question, '\0', tlv->len - 1); + size_t qlen = qend ? (qend - question + 1) : + tlv->len; + otrl_sm_step2a(context->smstate, tlv->data + qlen, + tlv->len - qlen, 1); + + if (context->smstate->sm_prog_state != + OTRL_SMP_PROG_CHEATED) { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_ASK_FOR_ANSWER, + context, 25, question); + } + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_CHEATED, context, + 0, NULL); + } + context->smstate->nextExpected = + OTRL_SMP_EXPECT1; + context->smstate->sm_prog_state = + OTRL_SMP_PROG_OK; + } + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_ERROR, context, + 0, NULL); + } + } + } + + tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP1); + if (tlv) { + if (nextMsg == OTRL_SMP_EXPECT1) { + /* We can only do the verification half now. + * We must wait for the secret to be entered + * to continue. */ + otrl_sm_step2a(context->smstate, tlv->data, + tlv->len, 0); + if (context->smstate->sm_prog_state != + OTRL_SMP_PROG_CHEATED) { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_ASK_FOR_SECRET, + context, 25, NULL); + } + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_CHEATED, + context, 0, NULL); + } + context->smstate->nextExpected = + OTRL_SMP_EXPECT1; + context->smstate->sm_prog_state = + OTRL_SMP_PROG_OK; + } + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_ERROR, context, + 0, NULL); + } + } + } + + tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP2); + if (tlv) { + if (nextMsg == OTRL_SMP_EXPECT2) { + unsigned char* nextmsg; + int nextmsglen; + OtrlTLV *sendtlv; + char *sendsmp = NULL; + otrl_sm_step3(context->smstate, tlv->data, + tlv->len, &nextmsg, &nextmsglen); + + if (context->smstate->sm_prog_state != + OTRL_SMP_PROG_CHEATED) { + /* Send msg with next smp msg content */ + sendtlv = otrl_tlv_new(OTRL_TLV_SMP3, + nextmsglen, nextmsg); + err = otrl_proto_create_data(&sendsmp, + context, "", sendtlv, + OTRL_MSGFLAGS_IGNORE_UNREADABLE, + NULL); + if (!err) { + err = fragment_and_send(ops, + opdata, context, sendsmp, + OTRL_FRAGMENT_SEND_ALL, NULL); + } + free(sendsmp); + otrl_tlv_free(sendtlv); + + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_IN_PROGRESS, + context, 60, NULL); + } + context->smstate->nextExpected = + OTRL_SMP_EXPECT4; + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_CHEATED, + context, 0, NULL); + } + context->smstate->nextExpected = + OTRL_SMP_EXPECT1; + context->smstate->sm_prog_state = + OTRL_SMP_PROG_OK; + } + free(nextmsg); + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_ERROR, context, + 0, NULL); + } + } + } + + tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP3); + if (tlv) { + if (nextMsg == OTRL_SMP_EXPECT3) { + unsigned char* nextmsg; + int nextmsglen; + OtrlTLV *sendtlv; + char *sendsmp = NULL; + err = otrl_sm_step4(context->smstate, tlv->data, + tlv->len, &nextmsg, &nextmsglen); + /* Set trust level based on result */ + if (context->smstate->received_question == 0) { + set_smp_trust(ops, opdata, context, + (err == gcry_error(GPG_ERR_NO_ERROR))); + } + + if (context->smstate->sm_prog_state != + OTRL_SMP_PROG_CHEATED) { + /* Send msg with next smp msg content */ + sendtlv = otrl_tlv_new(OTRL_TLV_SMP4, + nextmsglen, nextmsg); + err = otrl_proto_create_data(&sendsmp, + context, "", sendtlv, + OTRL_MSGFLAGS_IGNORE_UNREADABLE, + NULL); + if (!err) { + err = fragment_and_send(ops, + opdata, context, sendsmp, + OTRL_FRAGMENT_SEND_ALL, NULL); + } + free(sendsmp); + otrl_tlv_free(sendtlv); + + if (ops->handle_smp_event) { + OtrlSMPEvent succorfail = + context->smstate->sm_prog_state == + OTRL_SMP_PROG_SUCCEEDED ? + OTRL_SMPEVENT_SUCCESS : + OTRL_SMPEVENT_FAILURE; + ops->handle_smp_event(opdata, succorfail, + context, 100, NULL); + } + context->smstate->nextExpected = + OTRL_SMP_EXPECT1; + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_CHEATED, + context, 0, NULL); + } + context->smstate->nextExpected = + OTRL_SMP_EXPECT1; + context->smstate->sm_prog_state = + OTRL_SMP_PROG_OK; + } + free(nextmsg); + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_ERROR, context, + 0, NULL); + } + } + } + + tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP4); + if (tlv) { + if (nextMsg == OTRL_SMP_EXPECT4) { + err = otrl_sm_step5(context->smstate, tlv->data, + tlv->len); + /* Set trust level based on result */ + set_smp_trust(ops, opdata, context, + (err == gcry_error(GPG_ERR_NO_ERROR))); + + if (context->smstate->sm_prog_state != + OTRL_SMP_PROG_CHEATED) { + if (ops->handle_smp_event) { + OtrlSMPEvent succorfail = + context->smstate->sm_prog_state == + OTRL_SMP_PROG_SUCCEEDED ? + OTRL_SMPEVENT_SUCCESS : + OTRL_SMPEVENT_FAILURE; + ops->handle_smp_event(opdata, succorfail, + context, 100, NULL); + } + context->smstate->nextExpected = + OTRL_SMP_EXPECT1; + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_CHEATED, + context, 0, NULL); + } + context->smstate->nextExpected = + OTRL_SMP_EXPECT1; + context->smstate->sm_prog_state = + OTRL_SMP_PROG_OK; + } + } else { + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, + OTRL_SMPEVENT_ERROR, context, + 0, NULL); + } + } + } + + tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP_ABORT); + if (tlv) { + context->smstate->nextExpected = OTRL_SMP_EXPECT1; + if (ops->handle_smp_event) { + ops->handle_smp_event(opdata, OTRL_SMPEVENT_ABORT, + context, 0, NULL); + } + } + + if (plaintext[0] == '\0') { + /* If it's a heartbeat (an empty message), don't + * display it to the user, but signal an event. */ + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_LOG_HEARTBEAT_RCVD, + context, NULL, + gcry_error(GPG_ERR_NO_ERROR)); + } + edata.ignore_message = 1; + } else if (edata.ignore_message != 1 && + context->context_priv->their_keyid > 0) { + /* If it's *not* a heartbeat, and we haven't + * sent anything in a while, also send a + * heartbeat. */ + time_t now = time(NULL); + if (context->context_priv->lastsent < + (now - HEARTBEAT_INTERVAL)) { + char *heartbeat; + + /* Create the heartbeat message */ + err = otrl_proto_create_data(&heartbeat, + context, "", NULL, + OTRL_MSGFLAGS_IGNORE_UNREADABLE, + NULL); + if (!err) { + /* Send it, and inject a debug message */ + if (ops->inject_message) { + ops->inject_message(opdata, accountname, + protocol, sender, heartbeat); + } + free(heartbeat); + + context->context_priv->lastsent = now; + otrl_context_update_recent_child(context, 1); + + /* Signal an event for the heartbeat message */ + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_LOG_HEARTBEAT_SENT, + context, NULL, + gcry_error(GPG_ERR_NO_ERROR)); + } + } + } + } + + /* Return the TLVs even if ignore_message == 1 so + * that we can attach TLVs to heartbeats. */ + if (tlvsp) { + *tlvsp = tlvs; + } else { + otrl_tlv_free(tlvs); + } + + if (edata.ignore_message != 1) { + char *converted_msg = NULL; + + *newmessagep = plaintext; + edata.ignore_message = 0; + + /* convert the plaintext message if necessary */ + if (ops->convert_msg) { + ops->convert_msg(opdata, context, + OTRL_CONVERT_RECEIVING, &converted_msg, + plaintext); + + if (converted_msg) { + free(plaintext); + plaintext = NULL; + *newmessagep = strdup(converted_msg); + + if (ops->convert_free) { + ops->convert_free(opdata, context, + converted_msg); + } + } + } + } else { + free(plaintext); + } + break; + } + break; + + case OTRL_MSGTYPE_ERROR: + if ((policy & OTRL_POLICY_ERROR_START_AKE)) { + char *msgtosend = otrl_proto_default_query_msg( + context->accountname, policy); + if (msgtosend && ops->inject_message) { + ops->inject_message(opdata, context->accountname, + context->protocol, context->username, + msgtosend); + } + free(msgtosend); + } + + if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED) { + /* Mark the last message we sent as eligible for + * retransmission */ + context->context_priv->may_retransmit = 1; + } + + /* In any event, display the error message, with the + * display_otr_message callback, if possible */ + if (ops->handle_msg_event) { + /* Remove the OTR error prefix and pass the msg */ + const char *just_err_msg = strstr(message, OTR_ERROR_PREFIX); + if (!just_err_msg) { + just_err_msg = message; + } else { + just_err_msg += (strlen(OTR_ERROR_PREFIX)); + if (*just_err_msg == ' ') { + /* Advance pointer to skip the space character */ + just_err_msg++; + } + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_RCVDMSG_GENERAL_ERR, + context, just_err_msg, + gcry_error(GPG_ERR_NO_ERROR)); + edata.ignore_message = 1; + } + } + break; + + case OTRL_MSGTYPE_TAGGEDPLAINTEXT: + /* Strip the tag from the message */ + bestversion = otrl_proto_whitespace_bestversion(message, + &startwhite, &endwhite, policy); + if (startwhite && endwhite) { + size_t restlen = strlen(endwhite); + char *strippedmsg = strdup(message); + + if (strippedmsg) { + memmove(strippedmsg + (startwhite - message), + strippedmsg + (endwhite - message), restlen+1); + *newmessagep = strippedmsg; + edata.ignore_message = 0; + } + } + if (bestversion && context->msgstate != OTRL_MSGSTATE_ENCRYPTED + && (policy & OTRL_POLICY_WHITESPACE_START_AKE)) { + switch(bestversion) { + case 3: + err = otrl_auth_start_v23(&(context->auth), 3); + send_or_error_auth(ops, opdata, err, context, us); + break; + case 2: + err = otrl_auth_start_v23(&(context->auth), 2); + send_or_error_auth(ops, opdata, err, context, us); + break; + case 1: + /* Get our private key */ + privkey = otrl_privkey_find(us, context->accountname, + context->protocol); + if (privkey == NULL) { + /* We've got no private key! */ + if (ops->create_privkey) { + ops->create_privkey(opdata, + context->accountname, + context->protocol); + privkey = otrl_privkey_find(us, + context->accountname, + context->protocol); + } + } + if (privkey) { + err = otrl_auth_start_v1(&(context->auth), NULL, 0, + privkey); + send_or_error_auth(ops, opdata, err, context, us); + } + break; + default: + /* Don't start the AKE */ + break; + } + } + + /* FALLTHROUGH */ + case OTRL_MSGTYPE_NOTOTR: + if (best_context->msgstate != OTRL_MSGSTATE_PLAINTEXT || + (policy & OTRL_POLICY_REQUIRE_ENCRYPTION)) { + /* Not fine. Let the user know. */ + const char *plainmsg = (*newmessagep) ? *newmessagep : message; + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED, + context, plainmsg, gcry_error(GPG_ERR_NO_ERROR)); + free(*newmessagep); + *newmessagep = NULL; + edata.ignore_message = 1; + } + } + break; + + case OTRL_MSGTYPE_UNKNOWN: + /* We received an OTR message we didn't recognize. Ignore + * it, and signal an event. */ + if (ops->handle_msg_event) { + ops->handle_msg_event(opdata, + OTRL_MSGEVENT_RCVDMSG_UNRECOGNIZED, + context, NULL, gcry_error(GPG_ERR_NO_ERROR)); + } + if (edata.ignore_message == -1) edata.ignore_message = 1; + break; + } + +end: + /* If we reassembled a fragmented message, we need to free the + * allocated memory now. */ + free(unfragmessage); + + if (edata.ignore_message == -1) edata.ignore_message = 0; + return edata.ignore_message; +} + +/* Put a connection into the PLAINTEXT state, first sending the + * other side a notice that we're doing so if we're currently ENCRYPTED, + * and we think he's logged in. Affects only the specified context. */ +static void disconnect_context(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context) +{ + if (!context) return; + + if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED && + context->context_priv->their_keyid > 0 && + ops->is_logged_in && + ops->is_logged_in(opdata, context->accountname, context->protocol, + context->username) == 1) { + if (ops->inject_message) { + char *encmsg = NULL; + gcry_error_t err; + OtrlTLV *tlv = otrl_tlv_new(OTRL_TLV_DISCONNECTED, 0, NULL); + + err = otrl_proto_create_data(&encmsg, context, "", tlv, + OTRL_MSGFLAGS_IGNORE_UNREADABLE, NULL); + if (!err) { + ops->inject_message(opdata, context->accountname, + context->protocol, context->username, encmsg); + } + free(encmsg); + otrl_tlv_free(tlv); + } + } + + otrl_context_force_plaintext(context); + if (ops->update_context_list) { + ops->update_context_list(opdata); + } +} + + +/* Put a connection into the PLAINTEXT state, first sending the + * other side a notice that we're doing so if we're currently ENCRYPTED, + * and we think he's logged in. Affects only the specified instance. */ +void otrl_message_disconnect(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, const char *accountname, const char *protocol, + const char *username, otrl_instag_t instance) +{ + ConnContext *context = otrl_context_find(us, username, accountname, + protocol, instance, 0, NULL, NULL, NULL); + + if (!context) return; + + disconnect_context(us, ops, opdata, context); +} + +/* Put a connection into the PLAINTEXT state, first sending the + * other side a notice that we're doing so if we're currently ENCRYPTED, + * and we think he's logged in. Affects all matching instances. */ +void otrl_message_disconnect_all_instances(OtrlUserState us, + const OtrlMessageAppOps *ops, void *opdata, const char *accountname, + const char *protocol, const char *username) +{ + ConnContext * c_iter; + ConnContext *context; + + if (!username || !accountname || !protocol) return; + + context = otrl_context_find(us, username, accountname, + protocol, OTRL_INSTAG_MASTER, 0, NULL, NULL, NULL); + + if (!context) return; + + for (c_iter = context; c_iter && c_iter->m_context == context->m_context; + c_iter = c_iter->next) { + disconnect_context(us, ops, opdata, c_iter); + } +} + +/* Get the current extra symmetric key (of size OTRL_EXTRAKEY_BYTES + * bytes) and let the other side know what we're going to use it for. + * The key is stored in symkey, which must already be allocated + * and OTRL_EXTRAKEY_BYTES bytes long. */ +gcry_error_t otrl_message_symkey(OtrlUserState us, + const OtrlMessageAppOps *ops, void *opdata, ConnContext *context, + unsigned int use, const unsigned char *usedata, size_t usedatalen, + unsigned char *symkey) +{ + if (!context || (usedatalen > 0 && !usedata)) { + return gcry_error(GPG_ERR_INV_VALUE); + } + + if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED && + context->context_priv->their_keyid > 0) { + unsigned char *tlvdata = malloc(usedatalen+4); + char *encmsg = NULL; + gcry_error_t err; + OtrlTLV *tlv; + + tlvdata[0] = (use >> 24) & 0xff; + tlvdata[1] = (use >> 16) & 0xff; + tlvdata[2] = (use >> 8) & 0xff; + tlvdata[3] = (use) & 0xff; + if (usedatalen > 0) { + memmove(tlvdata+4, usedata, usedatalen); + } + + tlv = otrl_tlv_new(OTRL_TLV_SYMKEY, usedatalen+4, tlvdata); + free(tlvdata); + + err = otrl_proto_create_data(&encmsg, context, "", tlv, + OTRL_MSGFLAGS_IGNORE_UNREADABLE, symkey); + if (!err && ops->inject_message) { + ops->inject_message(opdata, context->accountname, + context->protocol, context->username, encmsg); + } + free(encmsg); + otrl_tlv_free(tlv); + + return err; + } + + /* We weren't in an encrypted session. */ + return gcry_error(GPG_ERR_INV_VALUE); +} + +/* If you do _not_ define a timer_control callback function, set a timer + * to go off every definterval = + * otrl_message_poll_get_default_interval(userstate) seconds, and call + * otrl_message_poll every time the timer goes off. */ +unsigned int otrl_message_poll_get_default_interval(OtrlUserState us) +{ + return POLL_DEFAULT_INTERVAL; +} + +/* Call this function every so often, either as directed by the + * timer_control callback, or every definterval = + * otrl_message_poll_get_default_interval(userstate) seconds if you have + * no timer_control callback. This function must be called from the + * main libotr thread.*/ +void otrl_message_poll(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata) +{ + /* Wipe private keys last sent before this time */ + time_t expire_before = time(NULL) - MAX_AKE_WAIT_TIME; + + ConnContext *contextp; + + /* Is there a context still waiting for a DHKEY message, even after + * we wipe the stale ones? */ + int still_waiting = 0; + + if (us == NULL) return; + + for (contextp = us->context_root; contextp; contextp = contextp->next) { + /* If this is a master context, and it's still waiting for a + * v3 DHKEY message, see if it's waited long enough. */ + if (contextp->m_context == contextp && + contextp->auth.authstate == OTRL_AUTHSTATE_AWAITING_DHKEY && + contextp->auth.protocol_version == 3 && + contextp->auth.commit_sent_time > 0) { + if (contextp->auth.commit_sent_time < expire_before) { + otrl_auth_clear(&contextp->auth); + } else { + /* Not yet expired */ + still_waiting = 1; + } + } + } + + /* If there's nothing more to wait for, stop the timer, if possible. */ + if (still_waiting == 0 && ops && ops->timer_control) { + ops->timer_control(opdata, 0); + us->timer_running = 0; + } +} diff --git a/comm/third_party/libotr/src/message.h b/comm/third_party/libotr/src/message.h new file mode 100644 index 0000000000..bb82ffc7e6 --- /dev/null +++ b/comm/third_party/libotr/src/message.h @@ -0,0 +1,440 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __MESSAGE_H__ +#define __MESSAGE_H__ + +#define OTR_ERROR_PREFIX "?OTR Error: " + +typedef enum { + OTRL_ERRCODE_NONE, + OTRL_ERRCODE_ENCRYPTION_ERROR, + OTRL_ERRCODE_MSG_NOT_IN_PRIVATE, + OTRL_ERRCODE_MSG_UNREADABLE, + OTRL_ERRCODE_MSG_MALFORMED, +} OtrlErrorCode; + +/* These define the events used to indicate status of SMP to the UI */ +typedef enum { + OTRL_SMPEVENT_NONE, + OTRL_SMPEVENT_ERROR, + OTRL_SMPEVENT_ABORT, + OTRL_SMPEVENT_CHEATED, + OTRL_SMPEVENT_ASK_FOR_ANSWER, + OTRL_SMPEVENT_ASK_FOR_SECRET, + OTRL_SMPEVENT_IN_PROGRESS, + OTRL_SMPEVENT_SUCCESS, + OTRL_SMPEVENT_FAILURE +} OtrlSMPEvent; + +/* These define the events used to indicate the messages that need + * to be sent */ +typedef enum { + OTRL_MSGEVENT_NONE, + OTRL_MSGEVENT_ENCRYPTION_REQUIRED, + OTRL_MSGEVENT_ENCRYPTION_ERROR, + OTRL_MSGEVENT_CONNECTION_ENDED, + OTRL_MSGEVENT_SETUP_ERROR, + OTRL_MSGEVENT_MSG_REFLECTED, + OTRL_MSGEVENT_MSG_RESENT, + OTRL_MSGEVENT_RCVDMSG_NOT_IN_PRIVATE, + OTRL_MSGEVENT_RCVDMSG_UNREADABLE, + OTRL_MSGEVENT_RCVDMSG_MALFORMED, + OTRL_MSGEVENT_LOG_HEARTBEAT_RCVD, + OTRL_MSGEVENT_LOG_HEARTBEAT_SENT, + OTRL_MSGEVENT_RCVDMSG_GENERAL_ERR, + OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED, + OTRL_MSGEVENT_RCVDMSG_UNRECOGNIZED, + OTRL_MSGEVENT_RCVDMSG_FOR_OTHER_INSTANCE +} OtrlMessageEvent; + +typedef enum { + OTRL_NOTIFY_ERROR, + OTRL_NOTIFY_WARNING, + OTRL_NOTIFY_INFO +} OtrlNotifyLevel; + +typedef enum { + OTRL_CONVERT_SENDING, + OTRL_CONVERT_RECEIVING +} OtrlConvertType; + +typedef struct s_OtrlMessageAppOps { + /* Return the OTR policy for the given context. */ + OtrlPolicy (*policy)(void *opdata, ConnContext *context); + + /* Create a private key for the given accountname/protocol if + * desired. */ + void (*create_privkey)(void *opdata, const char *accountname, + const char *protocol); + + /* Report whether you think the given user is online. Return 1 if + * you think he is, 0 if you think he isn't, -1 if you're not sure. + * + * If you return 1, messages such as heartbeats or other + * notifications may be sent to the user, which could result in "not + * logged in" errors if you're wrong. */ + int (*is_logged_in)(void *opdata, const char *accountname, + const char *protocol, const char *recipient); + + /* Send the given IM to the given recipient from the given + * accountname/protocol. */ + void (*inject_message)(void *opdata, const char *accountname, + const char *protocol, const char *recipient, const char *message); + + /* When the list of ConnContexts changes (including a change in + * state), this is called so the UI can be updated. */ + void (*update_context_list)(void *opdata); + + /* A new fingerprint for the given user has been received. */ + void (*new_fingerprint)(void *opdata, OtrlUserState us, + const char *accountname, const char *protocol, + const char *username, unsigned char fingerprint[20]); + + /* The list of known fingerprints has changed. Write them to disk. */ + void (*write_fingerprints)(void *opdata); + + /* A ConnContext has entered a secure state. */ + void (*gone_secure)(void *opdata, ConnContext *context); + + /* A ConnContext has left a secure state. */ + void (*gone_insecure)(void *opdata, ConnContext *context); + + /* We have completed an authentication, using the D-H keys we + * already knew. is_reply indicates whether we initiated the AKE. */ + void (*still_secure)(void *opdata, ConnContext *context, int is_reply); + + /* Find the maximum message size supported by this protocol. */ + int (*max_message_size)(void *opdata, ConnContext *context); + + /* Return a newly allocated string containing a human-friendly + * representation for the given account */ + const char *(*account_name)(void *opdata, const char *account, + const char *protocol); + + /* Deallocate a string returned by account_name */ + void (*account_name_free)(void *opdata, const char *account_name); + + /* We received a request from the buddy to use the current "extra" + * symmetric key. The key will be passed in symkey, of length + * OTRL_EXTRAKEY_BYTES. The requested use, as well as use-specific + * data will be passed so that the applications can communicate other + * information (some id for the data transfer, for example). */ + void (*received_symkey)(void *opdata, ConnContext *context, + unsigned int use, const unsigned char *usedata, + size_t usedatalen, const unsigned char *symkey); + + /* Return a string according to the error event. This string will then + * be concatenated to an OTR header to produce an OTR protocol error + * message. The following are the possible error events: + * - OTRL_ERRCODE_ENCRYPTION_ERROR + * occured while encrypting a message + * - OTRL_ERRCODE_MSG_NOT_IN_PRIVATE + * sent encrypted message to somebody who is not in + * a mutual OTR session + * - OTRL_ERRCODE_MSG_UNREADABLE + * sent an unreadable encrypted message + * - OTRL_ERRCODE_MSG_MALFORMED + * message sent is malformed */ + const char *(*otr_error_message)(void *opdata, ConnContext *context, + OtrlErrorCode err_code); + + /* Deallocate a string returned by otr_error_message */ + void (*otr_error_message_free)(void *opdata, const char *err_msg); + + /* Return a string that will be prefixed to any resent message. If this + * function is not provided by the application then the default prefix, + * "[resent]", will be used. + * */ + const char *(*resent_msg_prefix)(void *opdata, ConnContext *context); + + /* Deallocate a string returned by resent_msg_prefix */ + void (*resent_msg_prefix_free)(void *opdata, const char *prefix); + + /* Update the authentication UI with respect to SMP events + * These are the possible events: + * - OTRL_SMPEVENT_ASK_FOR_SECRET + * prompt the user to enter a shared secret. The sender application + * should call otrl_message_initiate_smp, passing NULL as the question. + * When the receiver application resumes the SM protocol by calling + * otrl_message_respond_smp with the secret answer. + * - OTRL_SMPEVENT_ASK_FOR_ANSWER + * (same as OTRL_SMPEVENT_ASK_FOR_SECRET but sender calls + * otrl_message_initiate_smp_q instead) + * - OTRL_SMPEVENT_CHEATED + * abort the current auth and update the auth progress dialog + * with progress_percent. otrl_message_abort_smp should be called to + * stop the SM protocol. + * - OTRL_SMPEVENT_INPROGRESS and + * OTRL_SMPEVENT_SUCCESS and + * OTRL_SMPEVENT_FAILURE and + * OTRL_SMPEVENT_ABORT + * update the auth progress dialog with progress_percent + * - OTRL_SMPEVENT_ERROR + * (same as OTRL_SMPEVENT_CHEATED) + * */ + void (*handle_smp_event)(void *opdata, OtrlSMPEvent smp_event, + ConnContext *context, unsigned short progress_percent, + char *question); + + /* Handle and send the appropriate message(s) to the sender/recipient + * depending on the message events. All the events only require an opdata, + * the event, and the context. The message and err will be NULL except for + * some events (see below). The possible events are: + * - OTRL_MSGEVENT_ENCRYPTION_REQUIRED + * Our policy requires encryption but we are trying to send + * an unencrypted message out. + * - OTRL_MSGEVENT_ENCRYPTION_ERROR + * An error occured while encrypting a message and the message + * was not sent. + * - OTRL_MSGEVENT_CONNECTION_ENDED + * Message has not been sent because our buddy has ended the + * private conversation. We should either close the connection, + * or refresh it. + * - OTRL_MSGEVENT_SETUP_ERROR + * A private conversation could not be set up. A gcry_error_t + * will be passed. + * - OTRL_MSGEVENT_MSG_REFLECTED + * Received our own OTR messages. + * - OTRL_MSGEVENT_MSG_RESENT + * The previous message was resent. + * - OTRL_MSGEVENT_RCVDMSG_NOT_IN_PRIVATE + * Received an encrypted message but cannot read + * it because no private connection is established yet. + * - OTRL_MSGEVENT_RCVDMSG_UNREADABLE + * Cannot read the received message. + * - OTRL_MSGEVENT_RCVDMSG_MALFORMED + * The message received contains malformed data. + * - OTRL_MSGEVENT_LOG_HEARTBEAT_RCVD + * Received a heartbeat. + * - OTRL_MSGEVENT_LOG_HEARTBEAT_SENT + * Sent a heartbeat. + * - OTRL_MSGEVENT_RCVDMSG_GENERAL_ERR + * Received a general OTR error. The argument 'message' will + * also be passed and it will contain the OTR error message. + * - OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED + * Received an unencrypted message. The argument 'message' will + * also be passed and it will contain the plaintext message. + * - OTRL_MSGEVENT_RCVDMSG_UNRECOGNIZED + * Cannot recognize the type of OTR message received. + * - OTRL_MSGEVENT_RCVDMSG_FOR_OTHER_INSTANCE + * Received and discarded a message intended for another instance. */ + void (*handle_msg_event)(void *opdata, OtrlMessageEvent msg_event, + ConnContext *context, const char *message, + gcry_error_t err); + + /* Create a instance tag for the given accountname/protocol if + * desired. */ + void (*create_instag)(void *opdata, const char *accountname, + const char *protocol); + + /* Called immediately before a data message is encrypted, and after a data + * message is decrypted. The OtrlConvertType parameter has the value + * OTRL_CONVERT_SENDING or OTRL_CONVERT_RECEIVING to differentiate these + * cases. */ + void (*convert_msg)(void *opdata, ConnContext *context, + OtrlConvertType convert_type, char ** dest, const char *src); + + /* Deallocate a string returned by convert_msg. */ + void (*convert_free)(void *opdata, ConnContext *context, char *dest); + + /* When timer_control is called, turn off any existing periodic + * timer. + * + * Additionally, if interval > 0, set a new periodic timer + * to go off every interval seconds. When that timer fires, you + * must call otrl_message_poll(userstate, uiops, uiopdata); from the + * main libotr thread. + * + * The timing does not have to be exact; this timer is used to + * provide forward secrecy by cleaning up stale private state that + * may otherwise stick around in memory. Note that the + * timer_control callback may be invoked from otrl_message_poll + * itself, possibly to indicate that interval == 0 (that is, that + * there's no more periodic work to be done at this time). + * + * If you set this callback to NULL, then you must ensure that your + * application calls otrl_message_poll(userstate, uiops, uiopdata); + * from the main libotr thread every definterval seconds (where + * definterval can be obtained by calling + * definterval = otrl_message_poll_get_default_interval(userstate); + * right after creating the userstate). The advantage of + * implementing the timer_control callback is that the timer can be + * turned on by libotr only when it's needed. + * + * It is not a problem (except for a minor performance hit) to call + * otrl_message_poll more often than requested, whether + * timer_control is implemented or not. + * + * If you fail to implement the timer_control callback, and also + * fail to periodically call otrl_message_poll, then you open your + * users to a possible forward secrecy violation: an attacker that + * compromises the user's computer may be able to decrypt a handful + * of long-past messages (the first messages of an OTR + * conversation). + */ + void (*timer_control)(void *opdata, unsigned int interval); + +} OtrlMessageAppOps; + +/* Deallocate a message allocated by other otrl_message_* routines. */ +void otrl_message_free(char *message); + +/* Handle a message about to be sent to the network. It is safe to pass + * all messages about to be sent to this routine. add_appdata is a + * function that will be called in the event that a new ConnContext is + * created. It will be passed the data that you supplied, as well as a + * pointer to the new ConnContext. You can use this to add + * application-specific information to the ConnContext using the + * "context->app" field, for example. If you don't need to do this, you + * can pass NULL for the last two arguments of otrl_message_sending. + * + * tlvs is a chain of OtrlTLVs to append to the private message. It is + * usually correct to just pass NULL here. + * + * If non-NULL, ops->convert_msg will be called just before encrypting a + * message. + * + * "instag" specifies the instance tag of the buddy (protocol version 3 only). + * Meta-instances may also be specified (e.g., OTRL_INSTAG_MOST_SECURE). + * If "contextp" is not NULL, it will be set to the ConnContext used for + * sending the message. + * + * If no fragmentation or msg injection is wanted, use OTRL_FRAGMENT_SEND_SKIP + * as the OtrlFragmentPolicy. In this case, this function will assign *messagep + * with the encrypted msg. If the routine returns non-zero, then the library + * tried to encrypt the message, but for some reason failed. DO NOT send the + * message in the clear in that case. If *messagep gets set by the call to + * something non-NULL, then you should replace your message with the contents + * of *messagep, and send that instead. + * + * Other fragmentation policies are OTRL_FRAGMENT_SEND_ALL, + * OTRL_FRAGMENT_SEND_ALL_BUT_LAST, or OTRL_FRAGMENT_SEND_ALL_BUT_FIRST. In + * these cases, the appropriate fragments will be automatically sent. For the + * last two policies, the remaining fragment will be passed in *original_msg. + * + * Call otrl_message_free(*messagep) if you don't need *messagep or when you're + * done with it. */ +gcry_error_t otrl_message_sending(OtrlUserState us, + const OtrlMessageAppOps *ops, + void *opdata, const char *accountname, const char *protocol, + const char *recipient, otrl_instag_t instag, const char *original_msg, + OtrlTLV *tlvs, char **messagep, OtrlFragmentPolicy fragPolicy, + ConnContext **contextp, + void (*add_appdata)(void *data, ConnContext *context), + void *data); + +/* Handle a message just received from the network. It is safe to pass + * all received messages to this routine. add_appdata is a function + * that will be called in the event that a new ConnContext is created. + * It will be passed the data that you supplied, as well as + * a pointer to the new ConnContext. You can use this to add + * application-specific information to the ConnContext using the + * "context->app" field, for example. If you don't need to do this, you + * can pass NULL for the last two arguments of otrl_message_receiving. + * + * If non-NULL, ops->convert_msg will be called after a data message is + * decrypted. + * + * If "contextp" is not NULL, it will be set to the ConnContext used for + * receiving the message. + * + * If otrl_message_receiving returns 1, then the message you received + * was an internal protocol message, and no message should be delivered + * to the user. + * + * If it returns 0, then check if *messagep was set to non-NULL. If + * so, replace the received message with the contents of *messagep, and + * deliver that to the user instead. You must call + * otrl_message_free(*messagep) when you're done with it. If tlvsp is + * non-NULL, *tlvsp will be set to a chain of any TLVs that were + * transmitted along with this message. You must call + * otrl_tlv_free(*tlvsp) when you're done with those. + * + * If otrl_message_receiving returns 0 and *messagep is NULL, then this + * was an ordinary, non-OTR message, which should just be delivered to + * the user without modification. */ +int otrl_message_receiving(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, const char *accountname, const char *protocol, + const char *sender, const char *message, char **newmessagep, + OtrlTLV **tlvsp, ConnContext **contextp, + void (*add_appdata)(void *data, ConnContext *context), + void *data); + +/* Put a connection into the PLAINTEXT state, first sending the + * other side a notice that we're doing so if we're currently ENCRYPTED, + * and we think he's logged in. Affects only the specified instance. */ +void otrl_message_disconnect(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, const char *accountname, const char *protocol, + const char *username, otrl_instag_t instance); + +/* Put a connection into the PLAINTEXT state, first sending the + * other side a notice that we're doing so if we're currently ENCRYPTED, + * and we think he's logged in. Affects all matching instances. */ +void otrl_message_disconnect_all_instances(OtrlUserState us, + const OtrlMessageAppOps *ops, void *opdata, const char *accountname, + const char *protocol, const char *username); + +/* Initiate the Socialist Millionaires' Protocol */ +void otrl_message_initiate_smp(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context, const unsigned char *secret, + size_t secretlen); + +/* Initiate the Socialist Millionaires' Protocol and send a prompt + * question to the buddy */ +void otrl_message_initiate_smp_q(OtrlUserState us, + const OtrlMessageAppOps *ops, void *opdata, ConnContext *context, + const char *question, const unsigned char *secret, size_t secretlen); + +/* Respond to a buddy initiating the Socialist Millionaires' Protocol */ +void otrl_message_respond_smp(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context, const unsigned char *secret, + size_t secretlen); + +/* Abort the SMP. Called when an unexpected SMP message breaks the + * normal flow. */ +void otrl_message_abort_smp(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata, ConnContext *context); + +/* Get the current extra symmetric key (of size OTRL_EXTRAKEY_BYTES + * bytes) and let the other side know what we're going to use it for. + * The key is stored in symkey, which must already be allocated + * and OTRL_EXTRAKEY_BYTES bytes long. */ +gcry_error_t otrl_message_symkey(OtrlUserState us, + const OtrlMessageAppOps *ops, void *opdata, ConnContext *context, + unsigned int use, const unsigned char *usedata, size_t usedatalen, + unsigned char *symkey); + +/* If you do _not_ define a timer_control callback function, set a timer + * to go off every definterval = + * otrl_message_poll_get_default_interval(userstate) seconds, and call + * otrl_message_poll every time the timer goes off. */ +unsigned int otrl_message_poll_get_default_interval(OtrlUserState us); + +/* Call this function every so often, either as directed by the + * timer_control callback, or every definterval = + * otrl_message_poll_get_default_interval(userstate) seconds if you have + * no timer_control callback. This function must be called from the + * main libotr thread.*/ +void otrl_message_poll(OtrlUserState us, const OtrlMessageAppOps *ops, + void *opdata); + +#endif diff --git a/comm/third_party/libotr/src/privkey-t.h b/comm/third_party/libotr/src/privkey-t.h new file mode 100644 index 0000000000..7dd120e789 --- /dev/null +++ b/comm/third_party/libotr/src/privkey-t.h @@ -0,0 +1,50 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2009 Ian Goldberg, Chris Alexander, Willy Lew, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __PRIVKEY_T_H__ +#define __PRIVKEY_T_H__ + +#include <gcrypt.h> + +typedef struct s_OtrlPrivKey { + struct s_OtrlPrivKey *next; + struct s_OtrlPrivKey **tous; + + char *accountname; + char *protocol; + unsigned short pubkey_type; + gcry_sexp_t privkey; + unsigned char *pubkey_data; + size_t pubkey_datalen; +} OtrlPrivKey; + +#define OTRL_PUBKEY_TYPE_DSA 0x0000 + +/* The list of privkeys currently being constructed, possibly in a + * background thread */ +typedef struct s_OtrlPendingPrivKey { + struct s_OtrlPendingPrivKey *next; + struct s_OtrlPendingPrivKey **tous; + + char *accountname; + char *protocol; +} OtrlPendingPrivKey; + +#endif diff --git a/comm/third_party/libotr/src/privkey.c b/comm/third_party/libotr/src/privkey.c new file mode 100644 index 0000000000..6e4bbe40fc --- /dev/null +++ b/comm/third_party/libotr/src/privkey.c @@ -0,0 +1,938 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Rob Smits, Chris Alexander, + * Willy Lew, Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* system headers */ +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <sys/stat.h> + +/* libgcrypt headers */ +#include <gcrypt.h> + +/* libotr headers */ +#include "privkey.h" +#include "serial.h" + +/* Convert a 20-byte hash value to a 45-byte human-readable value */ +void otrl_privkey_hash_to_human( + char human[OTRL_PRIVKEY_FPRINT_HUMAN_LEN], + const unsigned char hash[20]) +{ + int word, byte; + char *p = human; + + for(word=0; word<5; ++word) { + for(byte=0; byte<4; ++byte) { + sprintf(p, "%02X", hash[word*4+byte]); + p += 2; + } + *(p++) = ' '; + } + /* Change that last ' ' to a '\0' */ + --p; + *p = '\0'; +} + +/* Calculate a human-readable hash of our DSA public key. Return it in + * the passed fingerprint buffer. Return NULL on error, or a pointer to + * the given buffer on success. */ +char *otrl_privkey_fingerprint(OtrlUserState us, + char fingerprint[OTRL_PRIVKEY_FPRINT_HUMAN_LEN], + const char *accountname, const char *protocol) +{ + unsigned char hash[20]; + OtrlPrivKey *p = otrl_privkey_find(us, accountname, protocol); + + if (p) { + /* Calculate the hash */ + gcry_md_hash_buffer(GCRY_MD_SHA1, hash, p->pubkey_data, + p->pubkey_datalen); + + /* Now convert it to a human-readable format */ + otrl_privkey_hash_to_human(fingerprint, hash); + } else { + return NULL; + } + + return fingerprint; +} + +/* Calculate a raw hash of our DSA public key. Return it in the passed + * fingerprint buffer. Return NULL on error, or a pointer to the given + * buffer on success. */ +unsigned char *otrl_privkey_fingerprint_raw(OtrlUserState us, + unsigned char hash[20], const char *accountname, const char *protocol) +{ + OtrlPrivKey *p = otrl_privkey_find(us, accountname, protocol); + + if (p) { + /* Calculate the hash */ + gcry_md_hash_buffer(GCRY_MD_SHA1, hash, p->pubkey_data, + p->pubkey_datalen); + } else { + return NULL; + } + + return hash; +} + +/* Create a public key block from a private key */ +static gcry_error_t make_pubkey(unsigned char **pubbufp, size_t *publenp, + gcry_sexp_t privkey) +{ + gcry_mpi_t p,q,g,y; + gcry_sexp_t dsas,ps,qs,gs,ys; + size_t np,nq,ng,ny; + enum gcry_mpi_format format = GCRYMPI_FMT_USG; + unsigned char *bufp; + size_t lenp; + + *pubbufp = NULL; + *publenp = 0; + + /* Extract the public parameters */ + dsas = gcry_sexp_find_token(privkey, "dsa", 0); + if (dsas == NULL) { + return gcry_error(GPG_ERR_UNUSABLE_SECKEY); + } + ps = gcry_sexp_find_token(dsas, "p", 0); + qs = gcry_sexp_find_token(dsas, "q", 0); + gs = gcry_sexp_find_token(dsas, "g", 0); + ys = gcry_sexp_find_token(dsas, "y", 0); + gcry_sexp_release(dsas); + if (!ps || !qs || !gs || !ys) { + gcry_sexp_release(ps); + gcry_sexp_release(qs); + gcry_sexp_release(gs); + gcry_sexp_release(ys); + return gcry_error(GPG_ERR_UNUSABLE_SECKEY); + } + p = gcry_sexp_nth_mpi(ps, 1, GCRYMPI_FMT_USG); + gcry_sexp_release(ps); + q = gcry_sexp_nth_mpi(qs, 1, GCRYMPI_FMT_USG); + gcry_sexp_release(qs); + g = gcry_sexp_nth_mpi(gs, 1, GCRYMPI_FMT_USG); + gcry_sexp_release(gs); + y = gcry_sexp_nth_mpi(ys, 1, GCRYMPI_FMT_USG); + gcry_sexp_release(ys); + if (!p || !q || !g || !y) { + gcry_mpi_release(p); + gcry_mpi_release(q); + gcry_mpi_release(g); + gcry_mpi_release(y); + return gcry_error(GPG_ERR_UNUSABLE_SECKEY); + } + + *publenp = 0; + gcry_mpi_print(format, NULL, 0, &np, p); + *publenp += np + 4; + gcry_mpi_print(format, NULL, 0, &nq, q); + *publenp += nq + 4; + gcry_mpi_print(format, NULL, 0, &ng, g); + *publenp += ng + 4; + gcry_mpi_print(format, NULL, 0, &ny, y); + *publenp += ny + 4; + + *pubbufp = malloc(*publenp); + if (*pubbufp == NULL) { + gcry_mpi_release(p); + gcry_mpi_release(q); + gcry_mpi_release(g); + gcry_mpi_release(y); + return gcry_error(GPG_ERR_ENOMEM); + } + bufp = *pubbufp; + lenp = *publenp; + + write_mpi(p,np,"P"); + write_mpi(q,nq,"Q"); + write_mpi(g,ng,"G"); + write_mpi(y,ny,"Y"); + + gcry_mpi_release(p); + gcry_mpi_release(q); + gcry_mpi_release(g); + gcry_mpi_release(y); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Read a sets of private DSA keys from a file on disk into the given + * OtrlUserState. */ +gcry_error_t otrl_privkey_read(OtrlUserState us, const char *filename) +{ + FILE *privf; + gcry_error_t err; + + /* Open the privkey file. We use rb mode so that on WIN32, fread() + * reads the same number of bytes that fstat() indicates are in the + * file. */ + privf = fopen(filename, "rb"); + if (!privf) { + err = gcry_error_from_errno(errno); + return err; + } + + err = otrl_privkey_read_FILEp(us, privf); + + fclose(privf); + return err; +} + +/* Read a sets of private DSA keys from a FILE* into the given + * OtrlUserState. The FILE* must be open for reading. */ +gcry_error_t otrl_privkey_read_FILEp(OtrlUserState us, FILE *privf) +{ + int privfd; + struct stat st; + char *buf; + const char *token; + size_t tokenlen; + gcry_error_t err; + gcry_sexp_t allkeys; + int i; + + if (!privf) return gcry_error(GPG_ERR_NO_ERROR); + + /* Release any old ideas we had about our keys */ + otrl_privkey_forget_all(us); + + /* Load the data into a buffer */ + privfd = fileno(privf); + if (fstat(privfd, &st)) { + err = gcry_error_from_errno(errno); + return err; + } + buf = malloc(st.st_size); + if (!buf && st.st_size > 0) { + return gcry_error(GPG_ERR_ENOMEM); + } + if (fread(buf, st.st_size, 1, privf) != 1) { + err = gcry_error_from_errno(errno); + free(buf); + return err; + } + + err = gcry_sexp_new(&allkeys, buf, st.st_size, 0); + free(buf); + if (err) { + return err; + } + + token = gcry_sexp_nth_data(allkeys, 0, &tokenlen); + if (tokenlen != 8 || strncmp(token, "privkeys", 8)) { + gcry_sexp_release(allkeys); + return gcry_error(GPG_ERR_UNUSABLE_SECKEY); + } + + /* Get each account */ + for(i=1; i<gcry_sexp_length(allkeys); ++i) { + gcry_sexp_t names, protos, privs; + char *name, *proto; + gcry_sexp_t accounts; + OtrlPrivKey *p; + + /* Get the ith "account" S-exp */ + accounts = gcry_sexp_nth(allkeys, i); + + /* It's really an "account" S-exp? */ + token = gcry_sexp_nth_data(accounts, 0, &tokenlen); + if (tokenlen != 7 || strncmp(token, "account", 7)) { + gcry_sexp_release(accounts); + gcry_sexp_release(allkeys); + return gcry_error(GPG_ERR_UNUSABLE_SECKEY); + } + /* Extract the name, protocol, and privkey S-exps */ + names = gcry_sexp_find_token(accounts, "name", 0); + protos = gcry_sexp_find_token(accounts, "protocol", 0); + privs = gcry_sexp_find_token(accounts, "private-key", 0); + gcry_sexp_release(accounts); + if (!names || !protos || !privs) { + gcry_sexp_release(names); + gcry_sexp_release(protos); + gcry_sexp_release(privs); + gcry_sexp_release(allkeys); + return gcry_error(GPG_ERR_UNUSABLE_SECKEY); + } + /* Extract the actual name and protocol */ + token = gcry_sexp_nth_data(names, 1, &tokenlen); + if (!token) { + gcry_sexp_release(names); + gcry_sexp_release(protos); + gcry_sexp_release(privs); + gcry_sexp_release(allkeys); + return gcry_error(GPG_ERR_UNUSABLE_SECKEY); + } + name = malloc(tokenlen + 1); + if (!name) { + gcry_sexp_release(names); + gcry_sexp_release(protos); + gcry_sexp_release(privs); + gcry_sexp_release(allkeys); + return gcry_error(GPG_ERR_ENOMEM); + } + memmove(name, token, tokenlen); + name[tokenlen] = '\0'; + gcry_sexp_release(names); + + token = gcry_sexp_nth_data(protos, 1, &tokenlen); + if (!token) { + free(name); + gcry_sexp_release(protos); + gcry_sexp_release(privs); + gcry_sexp_release(allkeys); + return gcry_error(GPG_ERR_UNUSABLE_SECKEY); + } + proto = malloc(tokenlen + 1); + if (!proto) { + free(name); + gcry_sexp_release(protos); + gcry_sexp_release(privs); + gcry_sexp_release(allkeys); + return gcry_error(GPG_ERR_ENOMEM); + } + memmove(proto, token, tokenlen); + proto[tokenlen] = '\0'; + gcry_sexp_release(protos); + + /* Make a new OtrlPrivKey entry */ + p = malloc(sizeof(*p)); + if (!p) { + free(name); + free(proto); + gcry_sexp_release(privs); + gcry_sexp_release(allkeys); + return gcry_error(GPG_ERR_ENOMEM); + } + + /* Fill it in and link it up */ + p->accountname = name; + p->protocol = proto; + p->pubkey_type = OTRL_PUBKEY_TYPE_DSA; + p->privkey = privs; + p->next = us->privkey_root; + if (p->next) { + p->next->tous = &(p->next); + } + p->tous = &(us->privkey_root); + us->privkey_root = p; + err = make_pubkey(&(p->pubkey_data), &(p->pubkey_datalen), p->privkey); + if (err) { + gcry_sexp_release(allkeys); + otrl_privkey_forget(p); + return gcry_error(GPG_ERR_UNUSABLE_SECKEY); + } + } + gcry_sexp_release(allkeys); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +static OtrlPendingPrivKey *pending_find(OtrlUserState us, + const char *accountname, const char *protocol) +{ + OtrlPendingPrivKey *search = us->pending_root; + + while (search) { + if (!strcmp(search->accountname, accountname) && + !strcmp(search->protocol, protocol)) { + /* Found it */ + return search; + } + search = search->next; + } + return NULL; +} + +/* Insert an account/protocol pair into the pending privkey list of the + * given OtrlUserState and return a pointer to the new + * OtrlPendingPrivKey, or return NULL if it's already there. */ +static OtrlPendingPrivKey *pending_insert(OtrlUserState us, + const char *accountname, const char *protocol) +{ + /* See if it's already there */ + OtrlPendingPrivKey *search = pending_find(us, accountname, protocol); + + if (search) { + /* It is */ + return NULL; + } + + /* We'll insert it at the beginning of the list */ + search = malloc(sizeof(*search)); + if (!search) return NULL; + + search->accountname = strdup(accountname); + search->protocol = strdup(protocol); + + search->next = us->pending_root; + us->pending_root = search; + if (search->next) { + search->next->tous = &(search->next); + } + search->tous = &(us->pending_root); + return search; +} + +static void pending_forget(OtrlPendingPrivKey *ppk) +{ + if (ppk) { + free(ppk->accountname); + free(ppk->protocol); + + /* Re-link the list */ + *(ppk->tous) = ppk->next; + if (ppk->next) { + ppk->next->tous = ppk->tous; + } + + free(ppk); + } +} + +/* Free the memory associated with the pending privkey list */ +void otrl_privkey_pending_forget_all(OtrlUserState us) +{ + while(us->pending_root) { + pending_forget(us->pending_root); + } +} + +static gcry_error_t sexp_write(FILE *privf, gcry_sexp_t sexp) +{ + size_t buflen; + char *buf; + + buflen = gcry_sexp_sprint(sexp, GCRYSEXP_FMT_ADVANCED, NULL, 0); + buf = malloc(buflen); + if (buf == NULL && buflen > 0) { + return gcry_error(GPG_ERR_ENOMEM); + } + gcry_sexp_sprint(sexp, GCRYSEXP_FMT_ADVANCED, buf, buflen); + + fprintf(privf, "%s", buf); + free(buf); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +static gcry_error_t account_write(FILE *privf, const char *accountname, + const char *protocol, gcry_sexp_t privkey) +{ + gcry_error_t err; + gcry_sexp_t names, protos; + + fprintf(privf, " (account\n"); + + err = gcry_sexp_build(&names, NULL, "(name %s)", accountname); + if (!err) { + err = sexp_write(privf, names); + gcry_sexp_release(names); + } + if (!err) err = gcry_sexp_build(&protos, NULL, "(protocol %s)", protocol); + if (!err) { + err = sexp_write(privf, protos); + gcry_sexp_release(protos); + } + if (!err) err = sexp_write(privf, privkey); + + fprintf(privf, " )\n"); + + return err; +} + +struct s_pending_privkey_calc { + char *accountname; + char *protocol; + gcry_sexp_t privkey; +}; + +/* Begin a private key generation that will potentially take place in + * a background thread. This routine must be called from the main + * thread. It will set *newkeyp, which you can pass to + * otrl_privkey_generate_calculate in a background thread. If it + * returns gcry_error(GPG_ERR_EEXIST), then a privkey creation for + * this accountname/protocol is already in progress, and *newkeyp will + * be set to NULL. */ +gcry_error_t otrl_privkey_generate_start(OtrlUserState us, + const char *accountname, const char *protocol, void **newkeyp) +{ + OtrlPendingPrivKey *found = pending_find(us, accountname, protocol); + struct s_pending_privkey_calc *ppc; + + if (found) { + if (newkeyp) *newkeyp = NULL; + return gcry_error(GPG_ERR_EEXIST); + } + + /* We're not already creating this key. Mark it as in progress. */ + pending_insert(us, accountname, protocol); + + /* Allocate the working structure */ + ppc = malloc(sizeof(*ppc)); + ppc->accountname = strdup(accountname); + ppc->protocol = strdup(protocol); + ppc->privkey = NULL; + + *newkeyp = ppc; + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Do the private key generation calculation. You may call this from a + * background thread. When it completes, call + * otrl_privkey_generate_finish from the _main_ thread. */ +gcry_error_t otrl_privkey_generate_calculate(void *newkey) +{ + struct s_pending_privkey_calc *ppc = + (struct s_pending_privkey_calc *)newkey; + gcry_error_t err; + gcry_sexp_t key, parms; + static const char *parmstr = "(genkey (dsa (nbits 4:1024)))"; + + /* Create a DSA key */ + err = gcry_sexp_new(&parms, parmstr, strlen(parmstr), 0); + if (err) { + return err; + } + err = gcry_pk_genkey(&key, parms); + gcry_sexp_release(parms); + if (err) { + return err; + } + + /* Extract the privkey */ + ppc->privkey = gcry_sexp_find_token(key, "private-key", 0); + gcry_sexp_release(key); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +static FILE* privkey_fopen(const char *filename, gcry_error_t *errp) +{ + FILE *privf; +#ifndef WIN32 + mode_t oldmask; +#endif + +#ifndef WIN32 + oldmask = umask(077); +#endif + privf = fopen(filename, "w+b"); + if (!privf && errp) { + *errp = gcry_error_from_errno(errno); + } +#ifndef WIN32 + umask(oldmask); +#endif + return privf; +} + +/* Call this from the main thread only, in the event that the background + * thread generating the key is cancelled. The newkey is deallocated, + * and must not be used further. */ +void otrl_privkey_generate_cancelled(OtrlUserState us, void *newkey) +{ + struct s_pending_privkey_calc *ppc = + (struct s_pending_privkey_calc *)newkey; + + if (us) { + pending_forget(pending_find(us, ppc->accountname, ppc->protocol)); + } + + /* Deallocate ppc */ + free(ppc->accountname); + free(ppc->protocol); + gcry_sexp_release(ppc->privkey); + free(ppc); +} + +/* Call this from the main thread only. It will write the newly created + * private key into the given file and store it in the OtrlUserState. */ +gcry_error_t otrl_privkey_generate_finish(OtrlUserState us, + void *newkey, const char *filename) +{ + gcry_error_t err; + FILE *privf = privkey_fopen(filename, &err); + if (!privf) { + return err; + } + + err = otrl_privkey_generate_finish_FILEp(us, newkey, privf); + + fclose(privf); + return err; +} + +/* Call this from the main thread only. It will write the newly created + * private key into the given FILE* (which must be open for reading and + * writing) and store it in the OtrlUserState. */ +gcry_error_t otrl_privkey_generate_finish_FILEp(OtrlUserState us, + void *newkey, FILE *privf) +{ + struct s_pending_privkey_calc *ppc = + (struct s_pending_privkey_calc *)newkey; + gcry_error_t ret = gcry_error(GPG_ERR_INV_VALUE); + + if (ppc && us && privf) { + OtrlPrivKey *p; + + /* Output the other keys we know */ + fprintf(privf, "(privkeys\n"); + + for (p=us->privkey_root; p; p=p->next) { + /* Skip this one if our new key replaces it */ + if (!strcmp(p->accountname, ppc->accountname) && + !strcmp(p->protocol, ppc->protocol)) { + continue; + } + + account_write(privf, p->accountname, p->protocol, p->privkey); + } + account_write(privf, ppc->accountname, ppc->protocol, ppc->privkey); + fprintf(privf, ")\n"); + + fseek(privf, 0, SEEK_SET); + + ret = otrl_privkey_read_FILEp(us, privf); + } + + otrl_privkey_generate_cancelled(us, newkey); + + return ret; +} + +/* Generate a private DSA key for a given account, storing it into a + * file on disk, and loading it into the given OtrlUserState. Overwrite any + * previously generated keys for that account in that OtrlUserState. */ +gcry_error_t otrl_privkey_generate(OtrlUserState us, const char *filename, + const char *accountname, const char *protocol) +{ + gcry_error_t err; + FILE *privf = privkey_fopen(filename, &err); + if (!privf) { + return err; + } + + err = otrl_privkey_generate_FILEp(us, privf, accountname, protocol); + + fclose(privf); + return err; +} + +/* Generate a private DSA key for a given account, storing it into a + * FILE*, and loading it into the given OtrlUserState. Overwrite any + * previously generated keys for that account in that OtrlUserState. + * The FILE* must be open for reading and writing. */ +gcry_error_t otrl_privkey_generate_FILEp(OtrlUserState us, FILE *privf, + const char *accountname, const char *protocol) +{ + void *newkey = NULL; + gcry_error_t err; + + err = otrl_privkey_generate_start(us, accountname, protocol, &newkey); + if (newkey) { + otrl_privkey_generate_calculate(newkey); + err = otrl_privkey_generate_finish_FILEp(us, newkey, privf); + } + + return err; +} + +/* Convert a hex character to a value */ +static unsigned int ctoh(char c) +{ + if (c >= '0' && c <= '9') return c-'0'; + if (c >= 'a' && c <= 'f') return c-'a'+10; + if (c >= 'A' && c <= 'F') return c-'A'+10; + return 0; /* Unknown hex char */ +} + +/* Read the fingerprint store from a file on disk into the given + * OtrlUserState. Use add_app_data to add application data to each + * ConnContext so created. */ +gcry_error_t otrl_privkey_read_fingerprints(OtrlUserState us, + const char *filename, + void (*add_app_data)(void *data, ConnContext *context), + void *data) +{ + gcry_error_t err; + FILE *storef; + + storef = fopen(filename, "rb"); + if (!storef) { + err = gcry_error_from_errno(errno); + return err; + } + + err = otrl_privkey_read_fingerprints_FILEp(us, storef, add_app_data, data); + + fclose(storef); + return err; +} + +/* Read the fingerprint store from a FILE* into the given + * OtrlUserState. Use add_app_data to add application data to each + * ConnContext so created. The FILE* must be open for reading. */ +gcry_error_t otrl_privkey_read_fingerprints_FILEp(OtrlUserState us, + FILE *storef, + void (*add_app_data)(void *data, ConnContext *context), + void *data) +{ + ConnContext *context; + char storeline[1000]; + unsigned char fingerprint[20]; + size_t maxsize = sizeof(storeline); + + if (!storef) return gcry_error(GPG_ERR_NO_ERROR); + + while(fgets(storeline, maxsize, storef)) { + char *username; + char *accountname; + char *protocol; + char *hex; + char *trust; + char *tab; + char *eol; + Fingerprint *fng; + int i, j; + /* Parse the line, which should be of the form: + * username\taccountname\tprotocol\t40_hex_nybbles\n */ + username = storeline; + tab = strchr(username, '\t'); + if (!tab) continue; + *tab = '\0'; + + accountname = tab + 1; + tab = strchr(accountname, '\t'); + if (!tab) continue; + *tab = '\0'; + + protocol = tab + 1; + tab = strchr(protocol, '\t'); + if (!tab) continue; + *tab = '\0'; + + hex = tab + 1; + tab = strchr(hex, '\t'); + if (!tab) { + eol = strchr(hex, '\r'); + if (!eol) eol = strchr(hex, '\n'); + if (!eol) continue; + *eol = '\0'; + trust = NULL; + } else { + *tab = '\0'; + trust = tab + 1; + eol = strchr(trust, '\r'); + if (!eol) eol = strchr(trust, '\n'); + if (!eol) continue; + *eol = '\0'; + } + + if (strlen(hex) != 40) continue; + for(j=0, i=0; i<40; i+=2) { + fingerprint[j++] = (ctoh(hex[i]) << 4) + (ctoh(hex[i+1])); + } + /* Get the context for this user, adding if not yet present */ + context = otrl_context_find(us, username, accountname, protocol, + OTRL_INSTAG_MASTER, 1, NULL, add_app_data, data); + /* Add the fingerprint if not already there */ + fng = otrl_context_find_fingerprint(context, fingerprint, 1, NULL); + otrl_context_set_trust(fng, trust); + } + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Write the fingerprint store from a given OtrlUserState to a file on disk. */ +gcry_error_t otrl_privkey_write_fingerprints(OtrlUserState us, + const char *filename) +{ + gcry_error_t err; + FILE *storef; + + storef = fopen(filename, "wb"); + if (!storef) { + err = gcry_error_from_errno(errno); + return err; + } + + err = otrl_privkey_write_fingerprints_FILEp(us, storef); + + fclose(storef); + return err; +} + +/* Write the fingerprint store from a given OtrlUserState to a FILE*. + * The FILE* must be open for writing. */ +gcry_error_t otrl_privkey_write_fingerprints_FILEp(OtrlUserState us, + FILE *storef) +{ + ConnContext *context; + Fingerprint *fprint; + + if (!storef) return gcry_error(GPG_ERR_NO_ERROR); + + for(context = us->context_root; context; context = context->next) { + /* Fingerprints are only stored in the master contexts */ + if (context->their_instance != OTRL_INSTAG_MASTER) continue; + + /* Don't bother with the first (fingerprintless) entry. */ + for (fprint = context->fingerprint_root.next; fprint; + fprint = fprint->next) { + int i; + fprintf(storef, "%s\t%s\t%s\t", context->username, + context->accountname, context->protocol); + for(i=0;i<20;++i) { + fprintf(storef, "%02x", fprint->fingerprint[i]); + } + fprintf(storef, "\t%s\n", fprint->trust ? fprint->trust : ""); + } + } + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Fetch the private key from the given OtrlUserState associated with + * the given account */ +OtrlPrivKey *otrl_privkey_find(OtrlUserState us, const char *accountname, + const char *protocol) +{ + OtrlPrivKey *p; + if (!accountname || !protocol) return NULL; + + for(p=us->privkey_root; p; p=p->next) { + if (!strcmp(p->accountname, accountname) && + !strcmp(p->protocol, protocol)) { + return p; + } + } + return NULL; +} + +/* Forget a private key */ +void otrl_privkey_forget(OtrlPrivKey *privkey) +{ + free(privkey->accountname); + free(privkey->protocol); + gcry_sexp_release(privkey->privkey); + free(privkey->pubkey_data); + + /* Re-link the list */ + *(privkey->tous) = privkey->next; + if (privkey->next) { + privkey->next->tous = privkey->tous; + } + + /* Free the privkey struct */ + free(privkey); +} + +/* Forget all private keys in a given OtrlUserState. */ +void otrl_privkey_forget_all(OtrlUserState us) +{ + while (us->privkey_root) { + otrl_privkey_forget(us->privkey_root); + } +} + +/* Sign data using a private key. The data must be small enough to be + * signed (i.e. already hashed, if necessary). The signature will be + * returned in *sigp, which the caller must free(). Its length will be + * returned in *siglenp. */ +gcry_error_t otrl_privkey_sign(unsigned char **sigp, size_t *siglenp, + OtrlPrivKey *privkey, const unsigned char *data, size_t len) +{ + gcry_mpi_t r,s, datampi; + gcry_sexp_t dsas, rs, ss, sigs, datas; + size_t nr, ns; + const enum gcry_mpi_format format = GCRYMPI_FMT_USG; + + if (privkey->pubkey_type != OTRL_PUBKEY_TYPE_DSA) + return gcry_error(GPG_ERR_INV_VALUE); + + *sigp = malloc(40); + if (*sigp == NULL) return gcry_error(GPG_ERR_ENOMEM); + *siglenp = 40; + + if (len) { + gcry_mpi_scan(&datampi, GCRYMPI_FMT_USG, data, len, NULL); + } else { + datampi = gcry_mpi_set_ui(NULL, 0); + } + gcry_sexp_build(&datas, NULL, "(%m)", datampi); + gcry_mpi_release(datampi); + gcry_pk_sign(&sigs, datas, privkey->privkey); + gcry_sexp_release(datas); + dsas = gcry_sexp_find_token(sigs, "dsa", 0); + gcry_sexp_release(sigs); + rs = gcry_sexp_find_token(dsas, "r", 0); + ss = gcry_sexp_find_token(dsas, "s", 0); + gcry_sexp_release(dsas); + r = gcry_sexp_nth_mpi(rs, 1, GCRYMPI_FMT_USG); + gcry_sexp_release(rs); + s = gcry_sexp_nth_mpi(ss, 1, GCRYMPI_FMT_USG); + gcry_sexp_release(ss); + gcry_mpi_print(format, NULL, 0, &nr, r); + gcry_mpi_print(format, NULL, 0, &ns, s); + memset(*sigp, 0, 40); + gcry_mpi_print(format, (*sigp)+(20-nr), nr, NULL, r); + gcry_mpi_print(format, (*sigp)+20+(20-ns), ns, NULL, s); + gcry_mpi_release(r); + gcry_mpi_release(s); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Verify a signature on data using a public key. The data must be + * small enough to be signed (i.e. already hashed, if necessary). */ +gcry_error_t otrl_privkey_verify(const unsigned char *sigbuf, size_t siglen, + unsigned short pubkey_type, gcry_sexp_t pubs, + const unsigned char *data, size_t len) +{ + gcry_error_t err; + gcry_mpi_t datampi,r,s; + gcry_sexp_t datas, sigs; + + if (pubkey_type != OTRL_PUBKEY_TYPE_DSA || siglen != 40) + return gcry_error(GPG_ERR_INV_VALUE); + + if (len) { + gcry_mpi_scan(&datampi, GCRYMPI_FMT_USG, data, len, NULL); + } else { + datampi = gcry_mpi_set_ui(NULL, 0); + } + gcry_sexp_build(&datas, NULL, "(%m)", datampi); + gcry_mpi_release(datampi); + gcry_mpi_scan(&r, GCRYMPI_FMT_USG, sigbuf, 20, NULL); + gcry_mpi_scan(&s, GCRYMPI_FMT_USG, sigbuf+20, 20, NULL); + gcry_sexp_build(&sigs, NULL, "(sig-val (dsa (r %m)(s %m)))", r, s); + gcry_mpi_release(r); + gcry_mpi_release(s); + + err = gcry_pk_verify(sigs, datas, pubs); + gcry_sexp_release(datas); + gcry_sexp_release(sigs); + + return err; +} + diff --git a/comm/third_party/libotr/src/privkey.h b/comm/third_party/libotr/src/privkey.h new file mode 100644 index 0000000000..3b2c1735e3 --- /dev/null +++ b/comm/third_party/libotr/src/privkey.h @@ -0,0 +1,154 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Chris Alexander, Willy Lew, + * Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __PRIVKEY_H__ +#define __PRIVKEY_H__ + +#include <stdio.h> +#include "privkey-t.h" +#include "userstate.h" + +/* The length of a string representing a human-readable version of a + * fingerprint (including the trailing NUL) */ +#define OTRL_PRIVKEY_FPRINT_HUMAN_LEN 45 + +/* Convert a 20-byte hash value to a 45-byte human-readable value */ +void otrl_privkey_hash_to_human( + char human[OTRL_PRIVKEY_FPRINT_HUMAN_LEN], + const unsigned char hash[20]); + +/* Calculate a human-readable hash of our DSA public key. Return it in + * the passed fingerprint buffer. Return NULL on error, or a pointer to + * the given buffer on success. */ +char *otrl_privkey_fingerprint(OtrlUserState us, + char fingerprint[OTRL_PRIVKEY_FPRINT_HUMAN_LEN], + const char *accountname, const char *protocol); + +/* Calculate a raw hash of our DSA public key. Return it in the passed + * fingerprint buffer. Return NULL on error, or a pointer to the given + * buffer on success. */ +unsigned char *otrl_privkey_fingerprint_raw(OtrlUserState us, + unsigned char hash[20], const char *accountname, const char *protocol); + +/* Read a sets of private DSA keys from a file on disk into the given + * OtrlUserState. */ +gcry_error_t otrl_privkey_read(OtrlUserState us, const char *filename); + +/* Read a sets of private DSA keys from a FILE* into the given + * OtrlUserState. The FILE* must be open for reading. */ +gcry_error_t otrl_privkey_read_FILEp(OtrlUserState us, FILE *privf); + +/* Free the memory associated with the pending privkey list */ +void otrl_privkey_pending_forget_all(OtrlUserState us); + +/* Begin a private key generation that will potentially take place in + * a background thread. This routine must be called from the main + * thread. It will set *newkeyp, which you can pass to + * otrl_privkey_generate_calculate in a background thread. If it + * returns gcry_error(GPG_ERR_EEXIST), then a privkey creation for + * this accountname/protocol is already in progress, and *newkeyp will + * be set to NULL. */ +gcry_error_t otrl_privkey_generate_start(OtrlUserState us, + const char *accountname, const char *protocol, void **newkeyp); + +/* Do the private key generation calculation. You may call this from a + * background thread. When it completes, call + * otrl_privkey_generate_finish from the _main_ thread. */ +gcry_error_t otrl_privkey_generate_calculate(void *newkey); + +/* Call this from the main thread only. It will write the newly created + * private key into the given file and store it in the OtrlUserState. */ +gcry_error_t otrl_privkey_generate_finish(OtrlUserState us, + void *newkey, const char *filename); + +/* Call this from the main thread only. It will write the newly created + * private key into the given FILE* (which must be open for reading and + * writing) and store it in the OtrlUserState. */ +gcry_error_t otrl_privkey_generate_finish_FILEp(OtrlUserState us, + void *newkey, FILE *privf); + +/* Call this from the main thread only, in the event that the background + * thread generating the key is cancelled. The newkey is deallocated, + * and must not be used further. */ +void otrl_privkey_generate_cancelled(OtrlUserState us, void *newkey); + +/* Generate a private DSA key for a given account, storing it into a + * file on disk, and loading it into the given OtrlUserState. Overwrite any + * previously generated keys for that account in that OtrlUserState. */ +gcry_error_t otrl_privkey_generate(OtrlUserState us, const char *filename, + const char *accountname, const char *protocol); + +/* Generate a private DSA key for a given account, storing it into a + * FILE*, and loading it into the given OtrlUserState. Overwrite any + * previously generated keys for that account in that OtrlUserState. + * The FILE* must be open for reading and writing. */ +gcry_error_t otrl_privkey_generate_FILEp(OtrlUserState us, FILE *privf, + const char *accountname, const char *protocol); + +/* Read the fingerprint store from a file on disk into the given + * OtrlUserState. Use add_app_data to add application data to each + * ConnContext so created. */ +gcry_error_t otrl_privkey_read_fingerprints(OtrlUserState us, + const char *filename, + void (*add_app_data)(void *data, ConnContext *context), + void *data); + +/* Read the fingerprint store from a FILE* into the given + * OtrlUserState. Use add_app_data to add application data to each + * ConnContext so created. The FILE* must be open for reading. */ +gcry_error_t otrl_privkey_read_fingerprints_FILEp(OtrlUserState us, + FILE *storef, + void (*add_app_data)(void *data, ConnContext *context), + void *data); + +/* Write the fingerprint store from a given OtrlUserState to a file on disk. */ +gcry_error_t otrl_privkey_write_fingerprints(OtrlUserState us, + const char *filename); + +/* Write the fingerprint store from a given OtrlUserState to a FILE*. + * The FILE* must be open for writing. */ +gcry_error_t otrl_privkey_write_fingerprints_FILEp(OtrlUserState us, + FILE *storef); + +/* Fetch the private key from the given OtrlUserState associated with + * the given account */ +OtrlPrivKey *otrl_privkey_find(OtrlUserState us, const char *accountname, + const char *protocol); + +/* Forget a private key */ +void otrl_privkey_forget(OtrlPrivKey *privkey); + +/* Forget all private keys in a given OtrlUserState. */ +void otrl_privkey_forget_all(OtrlUserState us); + +/* Sign data using a private key. The data must be small enough to be + * signed (i.e. already hashed, if necessary). The signature will be + * returned in *sigp, which the caller must free(). Its length will be + * returned in *siglenp. */ +gcry_error_t otrl_privkey_sign(unsigned char **sigp, size_t *siglenp, + OtrlPrivKey *privkey, const unsigned char *data, size_t len); + +/* Verify a signature on data using a public key. The data must be + * small enough to be signed (i.e. already hashed, if necessary). */ +gcry_error_t otrl_privkey_verify(const unsigned char *sigbuf, size_t siglen, + unsigned short pubkey_type, gcry_sexp_t pubs, + const unsigned char *data, size_t len); + +#endif diff --git a/comm/third_party/libotr/src/proto.c b/comm/third_party/libotr/src/proto.c new file mode 100644 index 0000000000..8d82dc126e --- /dev/null +++ b/comm/third_party/libotr/src/proto.c @@ -0,0 +1,1081 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2016 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* OTR Protocol implementation. This file should be independent of + * gaim, so that it can be used to make other clients. */ + +/* system headers */ +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> + +/* libgcrypt headers */ +#include <gcrypt.h> + +/* libotr headers */ +#include "b64.h" +#include "privkey.h" +#include "proto.h" +#include "mem.h" +#include "version.h" +#include "tlv.h" +#include "serial.h" + +#if OTRL_DEBUGGING +extern const char *OTRL_DEBUGGING_DEBUGSTR; +#endif + +/* For now, we need to know the API version the client is using so that + * we don't use any UI callbacks it hasn't set. */ +unsigned int otrl_api_version = 0; + +/* Initialize the OTR library. Pass the version of the API you are + * using. */ +gcry_error_t otrl_init(unsigned int ver_major, unsigned int ver_minor, + unsigned int ver_sub) +{ + unsigned int api_version; + + /* The major versions have to match, and you can't be using a newer + * minor version than we expect. */ + if (ver_major != OTRL_VERSION_MAJOR || ver_minor > OTRL_VERSION_MINOR) { + fprintf(stderr, "Expected libotr API version %u.%u.%u incompatible " + "with actual version %u.%u.%u. Aborting.\n", + ver_major, ver_minor, ver_sub, + OTRL_VERSION_MAJOR, OTRL_VERSION_MINOR, OTRL_VERSION_SUB); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Set the API version. If we get called multiple times for some + * reason, take the smallest value. */ + api_version = (ver_major << 16) | (ver_minor << 8) | (ver_sub); + if (otrl_api_version == 0 || otrl_api_version > api_version) { + otrl_api_version = api_version; + } + + /* Initialize the memory module */ + otrl_mem_init(); + + /* Initialize the DH module */ + otrl_dh_init(); + + /* Initialize the SM module */ + otrl_sm_init(); + +#if OTRL_DEBUGGING + /* Inform the user that debugging is available */ + fprintf(stderr, "\nlibotr debugging is available. Type %s in a message\n" + " to see debug info.\n\n", OTRL_DEBUGGING_DEBUGSTR); +#endif + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Return a pointer to a static string containing the version number of + * the OTR library. */ +const char *otrl_version(void) +{ + return OTRL_VERSION; +} + +/* Store some MAC keys to be revealed later */ +static gcry_error_t reveal_macs(ConnContext *context, + DH_sesskeys *sess1, DH_sesskeys *sess2) +{ + unsigned int numnew = sess1->rcvmacused + sess1->sendmacused + + sess2->rcvmacused + sess2->sendmacused; + unsigned int newnumsaved; + unsigned char *newmacs; + + /* Is there anything to do? */ + if (numnew == 0) return gcry_error(GPG_ERR_NO_ERROR); + + newnumsaved = context->context_priv->numsavedkeys + numnew; + newmacs = realloc(context->context_priv->saved_mac_keys, + newnumsaved * 20); + if (!newmacs) { + return gcry_error(GPG_ERR_ENOMEM); + } + if (sess1->rcvmacused) { + memmove(newmacs + context->context_priv->numsavedkeys * 20, + sess1->rcvmackey, 20); + context->context_priv->numsavedkeys++; + } + if (sess1->sendmacused) { + memmove(newmacs + context->context_priv->numsavedkeys * 20, + sess1->sendmackey, 20); + context->context_priv->numsavedkeys++; + } + if (sess2->rcvmacused) { + memmove(newmacs + context->context_priv->numsavedkeys * 20, + sess2->rcvmackey, 20); + context->context_priv->numsavedkeys++; + } + if (sess2->sendmacused) { + memmove(newmacs + context->context_priv->numsavedkeys * 20, + sess2->sendmackey, 20); + context->context_priv->numsavedkeys++; + } + context->context_priv->saved_mac_keys = newmacs; + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Make a new DH key for us, and rotate old old ones. Be sure to keep + * the sesskeys array in sync. */ +static gcry_error_t rotate_dh_keys(ConnContext *context) +{ + gcry_error_t err; + + /* Rotate the keypair */ + otrl_dh_keypair_free(&(context->context_priv->our_old_dh_key)); + memmove(&(context->context_priv->our_old_dh_key), + &(context->context_priv->our_dh_key), + sizeof(DH_keypair)); + + /* Rotate the session keys */ + err = reveal_macs(context, &(context->context_priv->sesskeys[1][0]), + &(context->context_priv->sesskeys[1][1])); + if (err) return err; + otrl_dh_session_free(&(context->context_priv->sesskeys[1][0])); + otrl_dh_session_free(&(context->context_priv->sesskeys[1][1])); + memmove(&(context->context_priv->sesskeys[1][0]), + &(context->context_priv->sesskeys[0][0]), + sizeof(DH_sesskeys)); + memmove(&(context->context_priv->sesskeys[1][1]), + &(context->context_priv->sesskeys[0][1]), + sizeof(DH_sesskeys)); + + /* Create a new DH key */ + otrl_dh_gen_keypair(DH1536_GROUP_ID, &(context->context_priv->our_dh_key)); + context->context_priv->our_keyid++; + + /* Make the session keys */ + if (context->context_priv->their_y) { + err = otrl_dh_session(&(context->context_priv->sesskeys[0][0]), + &(context->context_priv->our_dh_key), + context->context_priv->their_y); + if (err) return err; + } else { + otrl_dh_session_blank(&(context->context_priv->sesskeys[0][0])); + } + if (context->context_priv->their_old_y) { + err = otrl_dh_session(&(context->context_priv->sesskeys[0][1]), + &(context->context_priv->our_dh_key), + context->context_priv->their_old_y); + if (err) return err; + } else { + otrl_dh_session_blank(&(context->context_priv->sesskeys[0][1])); + } + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Rotate in a new DH public key for our correspondent. Be sure to keep + * the sesskeys array in sync. */ +static gcry_error_t rotate_y_keys(ConnContext *context, gcry_mpi_t new_y) +{ + gcry_error_t err; + + /* Rotate the public key */ + gcry_mpi_release(context->context_priv->their_old_y); + context->context_priv->their_old_y = context->context_priv->their_y; + + /* Rotate the session keys */ + err = reveal_macs(context, &(context->context_priv->sesskeys[0][1]), + &(context->context_priv->sesskeys[1][1])); + if (err) return err; + otrl_dh_session_free(&(context->context_priv->sesskeys[0][1])); + otrl_dh_session_free(&(context->context_priv->sesskeys[1][1])); + memmove(&(context->context_priv->sesskeys[0][1]), + &(context->context_priv->sesskeys[0][0]), + sizeof(DH_sesskeys)); + memmove(&(context->context_priv->sesskeys[1][1]), + &(context->context_priv->sesskeys[1][0]), + sizeof(DH_sesskeys)); + + /* Copy in the new public key */ + context->context_priv->their_y = gcry_mpi_copy(new_y); + context->context_priv->their_keyid++; + + /* Make the session keys */ + err = otrl_dh_session(&(context->context_priv->sesskeys[0][0]), + &(context->context_priv->our_dh_key), + context->context_priv->their_y); + if (err) return err; + err = otrl_dh_session(&(context->context_priv->sesskeys[1][0]), + &(context->context_priv->our_old_dh_key), + context->context_priv->their_y); + if (err) return err; + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Return a pointer to a newly-allocated OTR query message, customized + * with our name. The caller should free() the result when he's done + * with it. */ +char *otrl_proto_default_query_msg(const char *ourname, OtrlPolicy policy) +{ + char *msg; + int v1_supported, v2_supported, v3_supported; + char *version_tag; + char *bufp; + /* Don't use g_strdup_printf here, because someone (not us) is going + * to free() the *message pointer, not g_free() it. We can't + * require that they g_free() it, because this pointer will probably + * get passed to the main IM application for processing (and + * free()ing). */ + const char *format = "?OTR%s\n<b>%s</b> has requested an " + "<a href=\"https://otr.cypherpunks.ca/\">Off-the-Record " + "private conversation</a>. However, you do not have a plugin " + "to support that.\nSee <a href=\"https://otr.cypherpunks.ca/\">" + "https://otr.cypherpunks.ca/</a> for more information."; + + /* Figure out the version tag */ + v1_supported = (policy & OTRL_POLICY_ALLOW_V1); + v2_supported = (policy & OTRL_POLICY_ALLOW_V2); + v3_supported = (policy & OTRL_POLICY_ALLOW_V3); + version_tag = malloc(8); + bufp = version_tag; + if (v1_supported) { + *bufp = '?'; + bufp++; + } + if (v2_supported || v3_supported) { + *bufp = 'v'; + bufp++; + if (v2_supported) { + *bufp = '2'; + bufp++; + } + if (v3_supported) { + *bufp = '3'; + bufp++; + } + *bufp = '?'; + bufp++; + } + *bufp = '\0'; + + /* Remove two "%s", add '\0' */ + msg = malloc(strlen(format) + strlen(version_tag) + strlen(ourname) - 3); + if (!msg) { + free(version_tag); + return NULL; + } + sprintf(msg, format, version_tag, ourname); + free(version_tag); + return msg; +} + +/* Return the best version of OTR support by both sides, given an OTR + * Query Message and the local policy. */ +unsigned int otrl_proto_query_bestversion(const char *otrquerymsg, + OtrlPolicy policy) +{ + char *otrtag; + unsigned int query_versions = 0; + + + otrtag = strstr(otrquerymsg, "?OTR"); + if (!otrtag) { + return 0; + } + otrtag += 4; + + if (*otrtag == '?') { + query_versions = (1<<0); + ++otrtag; + } + if (*otrtag == 'v') { + for(++otrtag; *otrtag && *otrtag != '?'; ++otrtag) { + switch(*otrtag) { + case '2': + query_versions |= (1<<1); + break; + case '3': + query_versions |= (1<<2); + break; + } + } + } + + if ((policy & OTRL_POLICY_ALLOW_V3) && (query_versions & (1<<2))) { + return 3; + } + if ((policy & OTRL_POLICY_ALLOW_V2) && (query_versions & (1<<1))) { + return 2; + } + if ((policy & OTRL_POLICY_ALLOW_V1) && (query_versions & (1<<0))) { + return 1; + } + return 0; +} + +/* Locate any whitespace tag in this message, and return the best + * version of OTR support on both sides. Set *starttagp and *endtagp to + * the start and end of the located tag, so that it can be snipped out. */ +unsigned int otrl_proto_whitespace_bestversion(const char *msg, + const char **starttagp, const char **endtagp, OtrlPolicy policy) +{ + const char *starttag, *endtag; + unsigned int query_versions = 0; + + *starttagp = NULL; + *endtagp = NULL; + + starttag = strstr(msg, OTRL_MESSAGE_TAG_BASE); + if (!starttag) return 0; + + endtag = starttag + strlen(OTRL_MESSAGE_TAG_BASE); + + /* Look for groups of 8 spaces and/or tabs */ + while(1) { + int i; + int allwhite = 1; + for(i=0;i<8;++i) { + if (endtag[i] != ' ' && endtag[i] != '\t') { + allwhite = 0; + break; + } + } + if (allwhite) { + if (!strncmp(endtag, OTRL_MESSAGE_TAG_V1, 8)) { + query_versions |= (1<<0); + } + if (!strncmp(endtag, OTRL_MESSAGE_TAG_V2, 8)) { + query_versions |= (1<<1); + } + if (!strncmp(endtag, OTRL_MESSAGE_TAG_V3, 8)) { + query_versions |= (1<<2); + } + endtag += 8; + } else { + break; + } + } + + *starttagp = starttag; + *endtagp = endtag; + + if ((policy & OTRL_POLICY_ALLOW_V3) && (query_versions & (1<<2))) { + return 3; + } + if ((policy & OTRL_POLICY_ALLOW_V2) && (query_versions & (1<<1))) { + return 2; + } + if ((policy & OTRL_POLICY_ALLOW_V1) && (query_versions & (1<<0))) { + return 1; + } + return 0; +} + +/* Find the message type. */ +OtrlMessageType otrl_proto_message_type(const char *message) +{ + char *otrtag; + + otrtag = strstr(message, "?OTR"); + + if (!otrtag) { + if (strstr(message, OTRL_MESSAGE_TAG_BASE)) { + return OTRL_MSGTYPE_TAGGEDPLAINTEXT; + } else { + return OTRL_MSGTYPE_NOTOTR; + } + } + + if (!strncmp(otrtag, "?OTR:AAM", 8) || !strncmp(otrtag, "?OTR:AAI", 8)) { + switch(*(otrtag + 8)) { + case 'C': return OTRL_MSGTYPE_DH_COMMIT; + case 'K': return OTRL_MSGTYPE_DH_KEY; + case 'R': return OTRL_MSGTYPE_REVEALSIG; + case 'S': return OTRL_MSGTYPE_SIGNATURE; + case 'D': return OTRL_MSGTYPE_DATA; + } + } else { + if (!strncmp(otrtag, "?OTR?", 5)) return OTRL_MSGTYPE_QUERY; + if (!strncmp(otrtag, "?OTRv", 5)) return OTRL_MSGTYPE_QUERY; + if (!strncmp(otrtag, "?OTR:AAEK", 9)) return OTRL_MSGTYPE_V1_KEYEXCH; + if (!strncmp(otrtag, "?OTR:AAED", 9)) return OTRL_MSGTYPE_DATA; + if (!strncmp(otrtag, "?OTR Error:", 11)) return OTRL_MSGTYPE_ERROR; + } + return OTRL_MSGTYPE_UNKNOWN; +} + +/* Find the message version. */ +int otrl_proto_message_version(const char *message) +{ + char *otrtag; + + otrtag = strstr(message, "?OTR"); + + if (!otrtag) { + return 0; + } + + if (!strncmp(otrtag, "?OTR:AAM", 8)) + return 3; + if (!strncmp(otrtag, "?OTR:AAI", 8)) + return 2; + if (!strncmp(otrtag, "?OTR:AAE", 8)) + return 1; + + return 0; +} + +/* Find the instance tags in this message */ +gcry_error_t otrl_proto_instance(const char *otrmsg, + unsigned int *instance_from, unsigned int *instance_to) +{ + gcry_error_t err = gcry_error(GPG_ERR_NO_ERROR); + + const char *otrtag = otrmsg; + unsigned char *bufp = NULL; + unsigned char *bufp_head = NULL; + size_t lenp; + + if (!otrtag || strncmp(otrtag, "?OTR:AAM", 8)) { + goto invval; + } + + if (strlen(otrtag) < 21 ) goto invval; + + /* Decode and extract instance tag */ + bufp = malloc(OTRL_B64_MAX_DECODED_SIZE(12)); + bufp_head = bufp; + lenp = otrl_base64_decode(bufp, otrtag+9, 12); + read_int(*instance_from); + read_int(*instance_to); + free(bufp_head); + return gcry_error(GPG_ERR_NO_ERROR); +invval: + free(bufp_head); + err = gcry_error(GPG_ERR_INV_VALUE); + return err; +} + +/* Create an OTR Data message. Pass the plaintext as msg, and an + * optional chain of TLVs. A newly-allocated string will be returned in + * *encmessagep. Put the current extra symmetric key into extrakey + * (if non-NULL). */ +gcry_error_t otrl_proto_create_data(char **encmessagep, ConnContext *context, + const char *msg, const OtrlTLV *tlvs, unsigned char flags, + unsigned char *extrakey) +{ + size_t justmsglen = strlen(msg); + size_t msglen = justmsglen + 1 + otrl_tlv_seriallen(tlvs); + size_t buflen; + size_t pubkeylen; + unsigned char *buf = NULL; + unsigned char *bufp; + size_t lenp; + DH_sesskeys *sess = &(context->context_priv->sesskeys[1][0]); + gcry_error_t err; + size_t reveallen = 20 * context->context_priv->numsavedkeys; + char *base64buf = NULL; + unsigned char *msgbuf = NULL; + enum gcry_mpi_format format = GCRYMPI_FMT_USG; + char *msgdup; + int version = context->protocol_version; + + *encmessagep = NULL; + + /* Make sure we're actually supposed to be able to encrypt */ + if (context->msgstate != OTRL_MSGSTATE_ENCRYPTED || + context->context_priv->their_keyid == 0) { + return gcry_error(GPG_ERR_CONFLICT); + } + + /* We need to copy the incoming msg, since it might be an alias for + * context->lastmessage, which we'll be freeing soon. */ + msgdup = gcry_malloc_secure(justmsglen + 1); + if (msgdup == NULL) { + return gcry_error(GPG_ERR_ENOMEM); + } + strcpy(msgdup, msg); + + /* Header, msg flags, send keyid, recv keyid, counter, msg len, msg + * len of revealed mac keys, revealed mac keys, MAC */ + buflen = OTRL_HEADER_LEN + (version == 3 ? 8 : 0) + + (version == 2 || version == 3 ? 1 : 0) + 4 + 4 + + 8 + 4 + msglen + 4 + reveallen + 20; + gcry_mpi_print(format, NULL, 0, &pubkeylen, + context->context_priv->our_dh_key.pub); + buflen += pubkeylen + 4; + buf = malloc(buflen); + msgbuf = gcry_malloc_secure(msglen); + if (buf == NULL || msgbuf == NULL) { + free(buf); + gcry_free(msgbuf); + gcry_free(msgdup); + return gcry_error(GPG_ERR_ENOMEM); + } + memmove(msgbuf, msgdup, justmsglen); + msgbuf[justmsglen] = '\0'; + otrl_tlv_serialize(msgbuf + justmsglen + 1, tlvs); + bufp = buf; + lenp = buflen; + if (version == 1) { + memmove(bufp, "\x00\x01\x03", 3); /* header */ + } else if (version == 2) { + memmove(bufp, "\x00\x02\x03", 3); /* header */ + } else { + memmove(bufp, "\x00\x03\x03", 3); /* header */ + } + + debug_data("Header", bufp, 3); + bufp += 3; lenp -= 3; + + if (version == 3) { + /* v3 instance tags */ + write_int(context->our_instance); + debug_int("Sender instag", bufp-4); + write_int(context->their_instance); + debug_int("Recipient instag", bufp-4); + } + + if (version == 2 || version == 3) { + bufp[0] = flags; + bufp += 1; lenp -= 1; + } + + write_int(context->context_priv->our_keyid-1); /* sender keyid */ + debug_int("Sender keyid", bufp-4); + write_int(context->context_priv->their_keyid); /* recipient keyid */ + debug_int("Recipient keyid", bufp-4); + + write_mpi(context->context_priv->our_dh_key.pub, pubkeylen, "Y"); /* Y */ + + otrl_dh_incctr(sess->sendctr); + memmove(bufp, sess->sendctr, 8); /* Counter (top 8 bytes only) */ + debug_data("Counter", bufp, 8); + bufp += 8; lenp -= 8; + + write_int(msglen); /* length of encrypted data */ + debug_int("Msg len", bufp-4); + + err = gcry_cipher_reset(sess->sendenc); + if (err) goto err; + err = gcry_cipher_setctr(sess->sendenc, sess->sendctr, 16); + if (err) goto err; + err = gcry_cipher_encrypt(sess->sendenc, bufp, msglen, msgbuf, msglen); + if (err) goto err; /* encrypted data */ + debug_data("Enc data", bufp, msglen); + bufp += msglen; + lenp -= msglen; + + gcry_md_reset(sess->sendmac); + gcry_md_write(sess->sendmac, buf, bufp-buf); + memmove(bufp, gcry_md_read(sess->sendmac, GCRY_MD_SHA1), 20); + debug_data("MAC", bufp, 20); + bufp += 20; /* MAC */ + lenp -= 20; + + write_int(reveallen); /* length of revealed MAC keys */ + debug_int("Revealed MAC length", bufp-4); + + if (reveallen > 0) { + memmove(bufp, context->context_priv->saved_mac_keys, reveallen); + debug_data("Revealed MAC data", bufp, reveallen); + bufp += reveallen; lenp -= reveallen; + free(context->context_priv->saved_mac_keys); + context->context_priv->saved_mac_keys = NULL; + context->context_priv->numsavedkeys = 0; + } + + assert(lenp == 0); + + /* Make the base64-encoding. */ + base64buf = otrl_base64_otr_encode(buf, buflen); + if (base64buf == NULL) { + err = gcry_error(GPG_ERR_ENOMEM); + goto err; + } + + free(buf); + gcry_free(msgbuf); + *encmessagep = base64buf; + gcry_free(context->context_priv->lastmessage); + context->context_priv->lastmessage = NULL; + context->context_priv->may_retransmit = 0; + if (msglen > 0) { + context->context_priv->lastmessage = gcry_malloc_secure(justmsglen + 1); + if (context->context_priv->lastmessage) { + strcpy(context->context_priv->lastmessage, msgdup); + } + } + gcry_free(msgdup); + + /* Save a copy of the current extra key */ + if (extrakey) { + memmove(extrakey, sess->extrakey, OTRL_EXTRAKEY_BYTES); + } + + return gcry_error(GPG_ERR_NO_ERROR); +err: + free(buf); + gcry_free(msgbuf); + gcry_free(msgdup); + *encmessagep = NULL; + return err; +} + +/* Extract the flags from an otherwise unreadable Data Message. */ +gcry_error_t otrl_proto_data_read_flags(const char *datamsg, + unsigned char *flagsp) +{ + char *otrtag, *endtag; + unsigned char *rawmsg = NULL; + unsigned char *bufp; + size_t msglen, rawlen, lenp; + unsigned char version; + + if (flagsp) *flagsp = 0; + otrtag = strstr(datamsg, "?OTR:"); + if (!otrtag) { + goto invval; + } + endtag = strchr(otrtag, '.'); + if (endtag) { + msglen = endtag-otrtag; + } else { + msglen = strlen(otrtag); + } + + /* Skip over the "?OTR:" */ + otrtag += 5; + msglen -= 5; + + /* Base64-decode the message */ + rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */ + rawmsg = malloc(rawlen); + if (!rawmsg && rawlen > 0) { + return gcry_error(GPG_ERR_ENOMEM); + } + rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */ + + bufp = rawmsg; + lenp = rawlen; + + require_len(3); + version = bufp[1]; + skip_header('\x03'); + + if (version == 3) { + require_len(8); + bufp += 8; lenp -= 8; + } + + if (version == 2 || version == 3) { + require_len(1); + if (flagsp) *flagsp = bufp[0]; + bufp += 1; lenp -= 1; + } + + free(rawmsg); + return gcry_error(GPG_ERR_NO_ERROR); + +invval: + free(rawmsg); + return gcry_error(GPG_ERR_INV_VALUE); +} + +/* Accept an OTR Data Message in datamsg. Decrypt it and put the + * plaintext into *plaintextp, and any TLVs into tlvsp. Put any + * received flags into *flagsp (if non-NULL). Put the current extra + * symmetric key into extrakey (if non-NULL). */ +gcry_error_t otrl_proto_accept_data(char **plaintextp, OtrlTLV **tlvsp, + ConnContext *context, const char *datamsg, unsigned char *flagsp, + unsigned char *extrakey) +{ + char *otrtag, *endtag; + gcry_error_t err; + unsigned char *rawmsg = NULL; + size_t msglen, rawlen, lenp; + unsigned char *macstart, *macend; + unsigned char *bufp; + unsigned int sender_keyid, recipient_keyid; + gcry_mpi_t sender_next_y = NULL; + unsigned char ctr[8]; + size_t datalen, reveallen; + unsigned char *data = NULL; + unsigned char *nul = NULL; + unsigned char givenmac[20]; + DH_sesskeys *sess; + unsigned char version; + + *plaintextp = NULL; + *tlvsp = NULL; + if (flagsp) *flagsp = 0; + otrtag = strstr(datamsg, "?OTR:"); + if (!otrtag) { + goto invval; + } + endtag = strchr(otrtag, '.'); + if (endtag) { + msglen = endtag-otrtag; + } else { + msglen = strlen(otrtag); + } + + /* Skip over the "?OTR:" */ + otrtag += 5; + msglen -= 5; + + /* Base64-decode the message */ + rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */ + rawmsg = malloc(rawlen); + if (!rawmsg && rawlen > 0) { + err = gcry_error(GPG_ERR_ENOMEM); + goto err; + } + rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */ + + bufp = rawmsg; + lenp = rawlen; + + macstart = bufp; + require_len(3); + version = bufp[1]; + + skip_header('\x03'); + + if (version == 3) { + require_len(8); + bufp += 8; lenp -= 8; + } + + if (version == 2 || version == 3) { + require_len(1); + if (flagsp) *flagsp = bufp[0]; + bufp += 1; lenp -= 1; + } + + read_int(sender_keyid); + read_int(recipient_keyid); + read_mpi(sender_next_y); + require_len(8); + memmove(ctr, bufp, 8); + bufp += 8; lenp -= 8; + read_int(datalen); + require_len(datalen); + data = malloc(datalen+1); + if (!data) { + err = gcry_error(GPG_ERR_ENOMEM); + goto err; + } + memmove(data, bufp, datalen); + data[datalen] = '\0'; + bufp += datalen; lenp -= datalen; + macend = bufp; + require_len(20); + memmove(givenmac, bufp, 20); + bufp += 20; lenp -= 20; + read_int(reveallen); + require_len(reveallen); + /* Just skip over the revealed MAC keys, which we don't need. They + * were published for deniability of transcripts. */ + bufp += reveallen; lenp -= reveallen; + + /* That should be everything */ + if (lenp != 0) goto invval; + + /* We don't take any action on this message (especially rotating + * keys) until we've verified the MAC on this message. To that end, + * we need to know which keys this message is claiming to use. */ + if (context->context_priv->their_keyid == 0 || + (sender_keyid != context->context_priv->their_keyid && + sender_keyid != context->context_priv->their_keyid - 1) || + (recipient_keyid != context->context_priv->our_keyid && + recipient_keyid != context->context_priv->our_keyid - 1) || + sender_keyid == 0 || recipient_keyid == 0) { + goto conflict; + } + + if (sender_keyid == context->context_priv->their_keyid - 1 && + context->context_priv->their_old_y == NULL) { + goto conflict; + } + + /* These are the session keys this message is claiming to use. */ + sess = &(context->context_priv->sesskeys + [context->context_priv->our_keyid - recipient_keyid] + [context->context_priv->their_keyid - sender_keyid]); + + gcry_md_reset(sess->rcvmac); + gcry_md_write(sess->rcvmac, macstart, macend-macstart); + if (otrl_mem_differ(givenmac, gcry_md_read(sess->rcvmac, GCRY_MD_SHA1), + 20)) { + /* The MACs didn't match! */ + goto conflict; + } + sess->rcvmacused = 1; + + /* Check to see that the counter is increasing; i.e. that this isn't + * a replay. */ + if (otrl_dh_cmpctr(ctr, sess->rcvctr) <= 0) { + goto conflict; + } + + /* Decrypt the message */ + memmove(sess->rcvctr, ctr, 8); + err = gcry_cipher_reset(sess->rcvenc); + if (err) goto err; + err = gcry_cipher_setctr(sess->rcvenc, sess->rcvctr, 16); + if (err) goto err; + err = gcry_cipher_decrypt(sess->rcvenc, data, datalen, NULL, 0); + if (err) goto err; + + /* Save a copy of the current extra key */ + if (extrakey) { + memmove(extrakey, sess->extrakey, OTRL_EXTRAKEY_BYTES); + } + + /* See if either set of keys needs rotating */ + + if (recipient_keyid == context->context_priv->our_keyid) { + /* They're using our most recent key, so generate a new one */ + err = rotate_dh_keys(context); + if (err) goto err; + } + + if (sender_keyid == context->context_priv->their_keyid) { + /* They've sent us a new public key */ + err = rotate_y_keys(context, sender_next_y); + if (err) goto err; + } + + gcry_mpi_release(sender_next_y); + *plaintextp = (char *)data; + + /* See if there are TLVs */ + nul = data; + while (nul < data+datalen && *nul) ++nul; + /* If we stopped before the end, skip the NUL we stopped at */ + if (nul < data+datalen) ++nul; + *tlvsp = otrl_tlv_parse(nul, (data+datalen)-nul); + + free(rawmsg); + return gcry_error(GPG_ERR_NO_ERROR); + +invval: + err = gcry_error(GPG_ERR_INV_VALUE); + goto err; +conflict: + err = gcry_error(GPG_ERR_CONFLICT); + goto err; +err: + gcry_mpi_release(sender_next_y); + free(data); + free(rawmsg); + return err; +} + +/* Accumulate a potential fragment into the current context. */ +OtrlFragmentResult otrl_proto_fragment_accumulate(char **unfragmessagep, + ConnContext *context, const char *msg) +{ + OtrlFragmentResult res = OTRL_FRAGMENT_INCOMPLETE; + const char *tag; + unsigned short n = 0, k = 0; + int start = 0, end = 0; + + tag = strstr(msg, "?OTR|"); + if (tag) { + sscanf(tag, "?OTR|%*x|%*x,%hu,%hu,%n%*[^,],%n", &k, &n, &start, &end); + } else if ((tag = strstr(msg, "?OTR,")) != NULL) { + sscanf(tag, "?OTR,%hu,%hu,%n%*[^,],%n", &k, &n, &start, &end); + } else { + /* Unfragmented message, so discard any fragment we may have */ + free(context->context_priv->fragment); + context->context_priv->fragment = NULL; + context->context_priv->fragment_len = 0; + context->context_priv->fragment_n = 0; + context->context_priv->fragment_k = 0; + res = OTRL_FRAGMENT_UNFRAGMENTED; + return res; + } + + if (k > 0 && n > 0 && k <= n && start > 0 && end > 0 && start < end) { + if (k == 1) { + size_t fraglen = end - start - 1; + size_t newsize = fraglen + 1; + free(context->context_priv->fragment); + context->context_priv->fragment = NULL; + if (newsize >= 1) { /* Check for overflow */ + context->context_priv->fragment = malloc(newsize); + } + if (context->context_priv->fragment) { + memmove(context->context_priv->fragment, tag + start, fraglen); + context->context_priv->fragment_len = fraglen; + context->context_priv->fragment[ + context->context_priv->fragment_len] = '\0'; + context->context_priv->fragment_n = n; + context->context_priv->fragment_k = k; + } else { + context->context_priv->fragment_len = 0; + context->context_priv->fragment_n = 0; + context->context_priv->fragment_k = 0; + } + } else if (n == context->context_priv->fragment_n && + k == context->context_priv->fragment_k + 1) { + size_t fraglen = end - start - 1; + char *newfrag = NULL; + size_t newsize = context->context_priv->fragment_len + fraglen + 1; + /* Check for overflow */ + if (newsize > context->context_priv->fragment_len) { + newfrag = realloc(context->context_priv->fragment, newsize); + } + if (newfrag) { + context->context_priv->fragment = newfrag; + memmove(context->context_priv->fragment + + context->context_priv->fragment_len, + tag + start, fraglen); + context->context_priv->fragment_len += fraglen; + context->context_priv->fragment[ + context->context_priv->fragment_len] = '\0'; + context->context_priv->fragment_k = k; + } else { + free(context->context_priv->fragment); + context->context_priv->fragment = NULL; + context->context_priv->fragment_len = 0; + context->context_priv->fragment_n = 0; + context->context_priv->fragment_k = 0; + } + } else { + free(context->context_priv->fragment); + context->context_priv->fragment = NULL; + context->context_priv->fragment_len = 0; + context->context_priv->fragment_n = 0; + context->context_priv->fragment_k = 0; + } + } + + if (context->context_priv->fragment_n > 0 && + context->context_priv->fragment_n == + context->context_priv->fragment_k) { + /* We've got a complete message */ + *unfragmessagep = context->context_priv->fragment; + context->context_priv->fragment = NULL; + context->context_priv->fragment_len = 0; + context->context_priv->fragment_n = 0; + context->context_priv->fragment_k = 0; + res = OTRL_FRAGMENT_COMPLETE; + } + + return res; +} + +/* Create a fragmented message. */ +gcry_error_t otrl_proto_fragment_create(int mms, int fragment_count, + char ***fragments, ConnContext *context, const char *message) +{ + char *fragdata; + size_t fragdatalen = 0; + int curfrag = 0; + size_t index = 0; + size_t msglen = strlen(message); + /* Should vary by number of msgs */ + int headerlen = context->protocol_version == 3 ? 37 : 19; + + char **fragmentarray; + + if (fragment_count < 1 || fragment_count > 65535) { + return gcry_error(GPG_ERR_INV_VALUE); + } + + fragmentarray = malloc(fragment_count * sizeof(char*)); + if(!fragmentarray) return gcry_error(GPG_ERR_ENOMEM); + + /* + * Find the next message fragment and store it in the array. + */ + for(curfrag = 1; curfrag <= fragment_count; curfrag++) { + int i; + char *fragmentmsg; + + if (msglen - index < (size_t)(mms - headerlen)) { + fragdatalen = msglen - index; + } else { + fragdatalen = mms - headerlen; + } + + fragdata = malloc(fragdatalen + 1); + if(!fragdata) { + for (i=0; i<curfrag-1; free(fragmentarray[i++])) {} + free(fragmentarray); + return gcry_error(GPG_ERR_ENOMEM); + } + strncpy(fragdata, message, fragdatalen); + fragdata[fragdatalen] = 0; + + fragmentmsg = malloc(fragdatalen+headerlen+1); + if(!fragmentmsg) { + for (i=0; i<curfrag-1; free(fragmentarray[i++])) {} + free(fragmentarray); + free(fragdata); + return gcry_error(GPG_ERR_ENOMEM); + } + + /* + * Create the actual fragment and store it in the array + */ + if (context->auth.protocol_version != 3) { + snprintf(fragmentmsg, fragdatalen + headerlen, + "?OTR,%05hu,%05hu,%s,", (unsigned short)curfrag, + (unsigned short)fragment_count, fragdata); + } else { + /* V3 messages require instance tags in the header */ + snprintf(fragmentmsg, fragdatalen + headerlen, + "?OTR|%08x|%08x,%05hu,%05hu,%s,", + context->our_instance, context->their_instance, + (unsigned short)curfrag, (unsigned short)fragment_count, + fragdata); + } + fragmentmsg[fragdatalen + headerlen] = 0; + + fragmentarray[curfrag-1] = fragmentmsg; + + free(fragdata); + index += fragdatalen; + message += fragdatalen; + } + + *fragments = fragmentarray; + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Free a string array containing fragment messages. */ +void otrl_proto_fragment_free(char ***fragments, unsigned short arraylen) +{ + int i; + char **fragmentarray = *fragments; + if(fragmentarray) { + for(i = 0; i < arraylen; i++) + { + if(fragmentarray[i]) { + free(fragmentarray[i]); + } + } + free(fragmentarray); + } +} + diff --git a/comm/third_party/libotr/src/proto.h b/comm/third_party/libotr/src/proto.h new file mode 100644 index 0000000000..28be83f439 --- /dev/null +++ b/comm/third_party/libotr/src/proto.h @@ -0,0 +1,174 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Rob Smits, Chris Alexander, + * Willy Lew, Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __PROTO_H__ +#define __PROTO_H__ + +#include "context.h" +#include "version.h" +#include "tlv.h" + +/* If we ever see this sequence in a plaintext message, we'll assume the + * other side speaks OTR, and try to establish a connection. */ +#define OTRL_MESSAGE_TAG_BASE " \t \t\t\t\t \t \t \t " +/* The following must each be of length 8 */ +#define OTRL_MESSAGE_TAG_V1 " \t \t \t " +#define OTRL_MESSAGE_TAG_V2 " \t\t \t " +#define OTRL_MESSAGE_TAG_V3 " \t\t \t\t" + +/* The possible flags contained in a Data Message */ +#define OTRL_MSGFLAGS_IGNORE_UNREADABLE 0x01 + +typedef unsigned int OtrlPolicy; + +#define OTRL_POLICY_ALLOW_V1 0x01 +#define OTRL_POLICY_ALLOW_V2 0x02 +#define OTRL_POLICY_ALLOW_V3 0x04 +#define OTRL_POLICY_REQUIRE_ENCRYPTION 0x08 +#define OTRL_POLICY_SEND_WHITESPACE_TAG 0x10 +#define OTRL_POLICY_WHITESPACE_START_AKE 0x20 +#define OTRL_POLICY_ERROR_START_AKE 0x40 + +#define OTRL_POLICY_VERSION_MASK (OTRL_POLICY_ALLOW_V1 | OTRL_POLICY_ALLOW_V2 |\ + OTRL_POLICY_ALLOW_V3) + +/* Length of OTR message headers */ +#define OTRL_HEADER_LEN 3 +#define OTRL_B64_HEADER_LEN 4 + +/* Analogous to v1 policies */ +#define OTRL_POLICY_NEVER 0x00 +#define OTRL_POLICY_OPPORTUNISTIC \ + ( OTRL_POLICY_ALLOW_V2 | \ + OTRL_POLICY_ALLOW_V3 | \ + OTRL_POLICY_SEND_WHITESPACE_TAG | \ + OTRL_POLICY_WHITESPACE_START_AKE | \ + OTRL_POLICY_ERROR_START_AKE ) +#define OTRL_POLICY_MANUAL \ + ( OTRL_POLICY_ALLOW_V2 | \ + OTRL_POLICY_ALLOW_V3) +#define OTRL_POLICY_ALWAYS \ + ( OTRL_POLICY_ALLOW_V2 | \ + OTRL_POLICY_ALLOW_V3 | \ + OTRL_POLICY_REQUIRE_ENCRYPTION | \ + OTRL_POLICY_WHITESPACE_START_AKE | \ + OTRL_POLICY_ERROR_START_AKE ) +#define OTRL_POLICY_DEFAULT OTRL_POLICY_OPPORTUNISTIC + +typedef enum { + OTRL_MSGTYPE_NOTOTR, + OTRL_MSGTYPE_TAGGEDPLAINTEXT, + OTRL_MSGTYPE_QUERY, + OTRL_MSGTYPE_DH_COMMIT, + OTRL_MSGTYPE_DH_KEY, + OTRL_MSGTYPE_REVEALSIG, + OTRL_MSGTYPE_SIGNATURE, + OTRL_MSGTYPE_V1_KEYEXCH, + OTRL_MSGTYPE_DATA, + OTRL_MSGTYPE_ERROR, + OTRL_MSGTYPE_UNKNOWN +} OtrlMessageType; + +typedef enum { + OTRL_FRAGMENT_UNFRAGMENTED, + OTRL_FRAGMENT_INCOMPLETE, + OTRL_FRAGMENT_COMPLETE +} OtrlFragmentResult; + +typedef enum { + OTRL_FRAGMENT_SEND_SKIP, /* Return new message back to caller, + * but don't inject. */ + OTRL_FRAGMENT_SEND_ALL, + OTRL_FRAGMENT_SEND_ALL_BUT_FIRST, + OTRL_FRAGMENT_SEND_ALL_BUT_LAST +} OtrlFragmentPolicy; + +/* Initialize the OTR library. Pass the version of the API you are + * using. */ +gcry_error_t otrl_init(unsigned int ver_major, unsigned int ver_minor, + unsigned int ver_sub); + +/* Shortcut */ +#define OTRL_INIT do { \ + if (otrl_init(OTRL_VERSION_MAJOR, OTRL_VERSION_MINOR, \ + OTRL_VERSION_SUB)) { \ + exit(1); \ + } \ + } while(0) + +/* Return a pointer to a static string containing the version number of + * the OTR library. */ +const char *otrl_version(void); + +/* Return a pointer to a newly-allocated OTR query message, customized + * with our name. The caller should free() the result when he's done + * with it. */ +char *otrl_proto_default_query_msg(const char *ourname, OtrlPolicy policy); + +/* Return the best version of OTR support by both sides, given an OTR + * Query Message and the local policy. */ +unsigned int otrl_proto_query_bestversion(const char *querymsg, + OtrlPolicy policy); + +/* Locate any whitespace tag in this message, and return the best + * version of OTR support on both sides. Set *starttagp and *endtagp to + * the start and end of the located tag, so that it can be snipped out. */ +unsigned int otrl_proto_whitespace_bestversion(const char *msg, + const char **starttagp, const char **endtagp, OtrlPolicy policy); + +/* Find the message type. */ +OtrlMessageType otrl_proto_message_type(const char *message); + +/* Find the message version. */ +int otrl_proto_message_version(const char *message); + +/* Find the instance tags in this message. */ +gcry_error_t otrl_proto_instance(const char *otrmsg, + unsigned int *instance_from, unsigned int *instance_to); + +/* Create an OTR Data message. Pass the plaintext as msg, and an + * optional chain of TLVs. A newly-allocated string will be returned in + * *encmessagep. Put the current extra symmetric key into extrakey + * (if non-NULL). */ +gcry_error_t otrl_proto_create_data(char **encmessagep, ConnContext *context, + const char *msg, const OtrlTLV *tlvs, unsigned char flags, + unsigned char *extrakey); + +/* Extract the flags from an otherwise unreadable Data Message. */ +gcry_error_t otrl_proto_data_read_flags(const char *datamsg, + unsigned char *flagsp); + +/* Accept an OTR Data Message in datamsg. Decrypt it and put the + * plaintext into *plaintextp, and any TLVs into tlvsp. Put any + * received flags into *flagsp (if non-NULL). Put the current extra + * symmetric key into extrakey (if non-NULL). */ +gcry_error_t otrl_proto_accept_data(char **plaintextp, OtrlTLV **tlvsp, + ConnContext *context, const char *datamsg, unsigned char *flagsp, + unsigned char *extrakey); + +/* Accumulate a potential fragment into the current context. */ +OtrlFragmentResult otrl_proto_fragment_accumulate(char **unfragmessagep, + ConnContext *context, const char *msg); + +gcry_error_t otrl_proto_fragment_create(int mms, int fragment_count, + char ***fragments, ConnContext *context, const char *message); + +void otrl_proto_fragment_free(char ***fragments, unsigned short arraylen); +#endif diff --git a/comm/third_party/libotr/src/serial.h b/comm/third_party/libotr/src/serial.h new file mode 100644 index 0000000000..cd2442b332 --- /dev/null +++ b/comm/third_party/libotr/src/serial.h @@ -0,0 +1,107 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Rob Smits, Chris Alexander, + * Willy Lew, Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __SERIAL_H__ +#define __SERIAL_H__ + +#undef DEBUG + +#ifdef DEBUG + +#include <stdio.h> + +#define debug_data(t,b,l) do { const unsigned char *data = (b); size_t i; \ + fprintf(stderr, "%s: ", (t)); \ + for(i=0;i<(l);++i) { \ + fprintf(stderr, "%02x", data[i]); \ + } \ + fprintf(stderr, "\n"); \ + } while(0) + +#define debug_int(t,b) do { const unsigned char *data = (b); \ + unsigned int v = \ + (((unsigned int)data[0]) << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; \ + fprintf(stderr, "%s: %u (0x%x)\n", (t), v, v); \ + } while(0) + +#else +#define debug_data(t,b,l) +#define debug_int(t,b) +#endif + +#define write_int(x) do { \ + bufp[0] = ((x) >> 24) & 0xff; \ + bufp[1] = ((x) >> 16) & 0xff; \ + bufp[2] = ((x) >> 8) & 0xff; \ + bufp[3] = (x) & 0xff; \ + bufp += 4; lenp -= 4; \ + } while(0) + +#define write_mpi(x,nx,dx) do { \ + write_int(nx); \ + gcry_mpi_print(format, bufp, lenp, NULL, (x)); \ + debug_data((dx), bufp, (nx)); \ + bufp += (nx); lenp -= (nx); \ + } while(0) + +#define require_len(l) do { \ + if (lenp < (l)) goto invval; \ + } while(0) + +#define read_int(x) do { \ + require_len(4); \ + (x) = (((unsigned int)bufp[0]) << 24) | (bufp[1] << 16) | (bufp[2] << 8) | bufp[3]; \ + bufp += 4; lenp -= 4; \ + } while(0) + +#define read_mpi(x) do { \ + size_t mpilen; \ + read_int(mpilen); \ + if (mpilen) { \ + require_len(mpilen); \ + gcry_mpi_scan(&(x), GCRYMPI_FMT_USG, bufp, mpilen, NULL); \ + } else { \ + (x) = gcry_mpi_set_ui(NULL, 0); \ + } \ + bufp += mpilen; lenp -= mpilen; \ + } while(0) + +/* Write version and msg type into bufp*/ +#define write_header(version, msgtype) do { \ + bufp[0] = 0x00; \ + bufp[1] = version & 0xff; \ + bufp[2] = msgtype; \ + debug_data("Header", bufp, 3); \ + bufp += 3; lenp -= 3; \ + } while(0) + +/* Verify msg header is v1, v2 or v3 and has type x, +* increment bufp past msg header */ +#define skip_header(x) do { \ + require_len(3); \ + if ((bufp[0] != 0x00) || (bufp[2] != x)) \ + goto invval; \ + if ((bufp[1] == 0x01) || (bufp[1] == 0x02) || \ + (bufp[1] == 0x03)) { \ + bufp += 3; lenp -= 3; \ + } else goto invval; \ + } while(0) + +#endif diff --git a/comm/third_party/libotr/src/sm.c b/comm/third_party/libotr/src/sm.c new file mode 100644 index 0000000000..4fb679ea81 --- /dev/null +++ b/comm/third_party/libotr/src/sm.c @@ -0,0 +1,998 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* system headers */ +#include <stdlib.h> +#include <stdio.h> +#include <sys/types.h> + +/* libgcrypt headers */ +#include <gcrypt.h> + +/* libotr headers */ +#include "sm.h" +#include "serial.h" + +#if OTRL_DEBUGGING + +/* Dump the contents of an SMState to the FILE *f. */ +void otrl_sm_dump(FILE *f, const OtrlSMState *sm) +{ + fprintf(f, " SM state:\n"); + fprintf(f, " Next expected: %d (%s)\n", sm->nextExpected, + sm->nextExpected == OTRL_SMP_EXPECT1 ? "EXPECT1" : + sm->nextExpected == OTRL_SMP_EXPECT2 ? "EXPECT2" : + sm->nextExpected == OTRL_SMP_EXPECT3 ? "EXPECT3" : + sm->nextExpected == OTRL_SMP_EXPECT4 ? "EXPECT4" : + sm->nextExpected == OTRL_SMP_EXPECT5 ? "EXPECT5" : + "INVALID"); + fprintf(f, " Received_Q: %d\n", sm->received_question); + fprintf(f, " Progress state: %d (%s)\n", sm->sm_prog_state, + sm->sm_prog_state == OTRL_SMP_PROG_OK ? "OK" : + sm->sm_prog_state == OTRL_SMP_PROG_CHEATED ? "CHEATED" : + sm->sm_prog_state == OTRL_SMP_PROG_FAILED ? "FAILED" : + sm->sm_prog_state == OTRL_SMP_PROG_SUCCEEDED ? "SUCCEEDED" : + "INVALID"); +} + +#endif + +static const int SM_MSG1_LEN = 6; +static const int SM_MSG2_LEN = 11; +static const int SM_MSG3_LEN = 8; +static const int SM_MSG4_LEN = 3; + +/* The modulus p */ +static const char* SM_MODULUS_S = "0x" + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"; +/* The order of the group q = (p-1)/2 */ +static const char* SM_ORDER_S = "0x" + "7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68" + "948127044533E63A0105DF531D89CD9128A5043CC71A026E" + "F7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122" + "F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6" + "F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9E" + "E1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AF" + "C1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36" + "B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF"; +static const char *SM_GENERATOR_S = "0x02"; +static const int SM_MOD_LEN_BITS = 1536; +static const int SM_MOD_LEN_BYTES = 192; + +static gcry_mpi_t SM_MODULUS = NULL; +static gcry_mpi_t SM_GENERATOR = NULL; +static gcry_mpi_t SM_ORDER = NULL; +static gcry_mpi_t SM_MODULUS_MINUS_2 = NULL; + +/* + * Call this once, at plugin load time. It sets up the modulus and + * generator MPIs. + */ +void otrl_sm_init(void) +{ + gcry_check_version(NULL); + gcry_mpi_scan(&SM_MODULUS, GCRYMPI_FMT_HEX, + (const unsigned char *)SM_MODULUS_S, 0, NULL); + gcry_mpi_scan(&SM_ORDER, GCRYMPI_FMT_HEX, + (const unsigned char *)SM_ORDER_S, 0, NULL); + gcry_mpi_scan(&SM_GENERATOR, GCRYMPI_FMT_HEX, + (const unsigned char *)SM_GENERATOR_S, 0, NULL); + SM_MODULUS_MINUS_2 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_sub_ui(SM_MODULUS_MINUS_2, SM_MODULUS, 2); +} + +/* + * Initialize the fields of a SM state. + */ +void otrl_sm_state_new(OtrlSMState *smst) +{ + smst->secret = NULL; + smst->x2 = NULL; + smst->x3 = NULL; + smst->g1 = NULL; + smst->g2 = NULL; + smst->g3 = NULL; + smst->g3o = NULL; + smst->p = NULL; + smst->q = NULL; + smst->pab = NULL; + smst->qab = NULL; + smst->nextExpected = OTRL_SMP_EXPECT1; + smst->received_question = 0; + smst->sm_prog_state = OTRL_SMP_PROG_OK; +} + +/* + * Initialize the fields of a SM state. Called the first time that + * a user begins an SMP session. + */ +void otrl_sm_state_init(OtrlSMState *smst) +{ + otrl_sm_state_free(smst); + smst->secret = gcry_mpi_snew(SM_MOD_LEN_BITS); + smst->x2 = NULL; + smst->x3 = NULL; + smst->g1 = gcry_mpi_copy(SM_GENERATOR); + smst->g2 = gcry_mpi_new(SM_MOD_LEN_BITS); + smst->g3 = gcry_mpi_new(SM_MOD_LEN_BITS); + smst->g3o = gcry_mpi_new(SM_MOD_LEN_BITS); + smst->p = gcry_mpi_new(SM_MOD_LEN_BITS); + smst->q = gcry_mpi_new(SM_MOD_LEN_BITS); + smst->pab = gcry_mpi_new(SM_MOD_LEN_BITS); + smst->qab = gcry_mpi_new(SM_MOD_LEN_BITS); + smst->received_question = 0; + smst->sm_prog_state = OTRL_SMP_PROG_OK; +} + +/* + * Initialize the fields of a SM message1. + * [0] = g2a, [1] = c2, [2] = d2, [3] = g3a, [4] = c3, [5] = d3 + */ +void otrl_sm_msg1_init(gcry_mpi_t **msg1) +{ + gcry_mpi_t *msg = malloc(SM_MSG1_LEN * sizeof(gcry_mpi_t)); + msg[0] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[1] = NULL; + msg[2] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[3] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[4] = NULL; + msg[5] = gcry_mpi_new(SM_MOD_LEN_BITS); + + *msg1 = msg; +} + +/* + * Initialize the fields of a SM message2. + * [0] = g2b, [1] = c2, [2] = d2, [3] = g3b, [4] = c3, [5] = d3 + * [6] = pb, [7] = qb, [8] = cp, [9] = d5, [10] = d6 + */ +void otrl_sm_msg2_init(gcry_mpi_t **msg2) +{ + gcry_mpi_t *msg = malloc(SM_MSG2_LEN * sizeof(gcry_mpi_t)); + msg[0] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[1] = NULL; + msg[2] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[3] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[4] = NULL; + msg[5] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[6] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[7] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[8] = NULL; + msg[9] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[10] = gcry_mpi_new(SM_MOD_LEN_BITS); + + *msg2 = msg; +} + +/* + * Initialize the fields of a SM message3. + * [0] = pa, [1] = qa, [2] = cp, [3] = d5, [4] = d6, [5] = ra, + * [6] = cr, [7] = d7 + */ +void otrl_sm_msg3_init(gcry_mpi_t **msg3) +{ + gcry_mpi_t *msg = malloc(SM_MSG3_LEN * sizeof(gcry_mpi_t)); + msg[0] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[1] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[2] = NULL; + msg[3] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[4] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[5] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[6] = NULL; + msg[7] = gcry_mpi_new(SM_MOD_LEN_BITS); + + *msg3 = msg; +} + +/* + * Initialize the fields of a SM message4. + * [0] = rb, [1] = cr, [2] = d7 + */ +void otrl_sm_msg4_init(gcry_mpi_t **msg4) +{ + gcry_mpi_t *msg = malloc(SM_MSG4_LEN * sizeof(gcry_mpi_t)); + msg[0] = gcry_mpi_new(SM_MOD_LEN_BITS); + msg[1] = NULL; + msg[2] = gcry_mpi_new(SM_MOD_LEN_BITS); + + *msg4 = msg; +} + +/* + * Deallocate the contents of a OtrlSMState (but not the OtrlSMState + * itself) + */ +void otrl_sm_state_free(OtrlSMState *smst) +{ + gcry_mpi_release(smst->secret); + gcry_mpi_release(smst->x2); + gcry_mpi_release(smst->x3); + gcry_mpi_release(smst->g1); + gcry_mpi_release(smst->g2); + gcry_mpi_release(smst->g3); + gcry_mpi_release(smst->g3o); + gcry_mpi_release(smst->p); + gcry_mpi_release(smst->q); + gcry_mpi_release(smst->pab); + gcry_mpi_release(smst->qab); + otrl_sm_state_new(smst); +} + +/* + * Deallocate the contents of a message + */ +void otrl_sm_msg_free(gcry_mpi_t **message, int msglen) +{ + gcry_mpi_t *msg = *message; + int i; + for (i=0; i<msglen; i++) { + gcry_mpi_release(msg[i]); + } + free(msg); + *message = NULL; +} + +static gcry_mpi_t randomExponent(void) +{ + unsigned char *secbuf = NULL; + gcry_mpi_t randexpon = NULL; + + /* Generate a random exponent */ + secbuf = gcry_random_bytes_secure(SM_MOD_LEN_BYTES, GCRY_STRONG_RANDOM); + gcry_mpi_scan(&randexpon, GCRYMPI_FMT_USG, secbuf, SM_MOD_LEN_BYTES, NULL); + gcry_free(secbuf); + + return randexpon; +} + +/* + * Hash one or two mpis. To hash only one mpi, b may be set to NULL. + */ +static gcry_error_t otrl_sm_hash(gcry_mpi_t* hash, int version, + const gcry_mpi_t a, const gcry_mpi_t b) +{ + unsigned char* input; + unsigned char output[SM_DIGEST_SIZE]; + size_t sizea; + size_t sizeb; + size_t totalsize; + unsigned char* dataa; + unsigned char* datab; + + gcry_mpi_aprint(GCRYMPI_FMT_USG, &dataa, &sizea, a); + totalsize = 1 + 4 + sizea; + if (b) { + gcry_mpi_aprint(GCRYMPI_FMT_USG, &datab, &sizeb, b); + totalsize += 4 + sizeb; + } else { + sizeb = 0; + } + + input = malloc(totalsize); + input[0] = (unsigned char)version; + input[1] = (unsigned char)((sizea >> 24) & 0xFF); + input[2] = (unsigned char)((sizea >> 16) & 0xFF); + input[3] = (unsigned char)((sizea >> 8) & 0xFF); + input[4] = (unsigned char)(sizea & 0xFF); + memmove(input + 5, dataa, sizea); + if (b) { + input[5 + sizea] = (unsigned char)((sizeb >> 24) & 0xFF); + input[6 + sizea] = (unsigned char)((sizeb >> 16) & 0xFF); + input[7 + sizea] = (unsigned char)((sizeb >> 8) & 0xFF); + input[8 + sizea] = (unsigned char)(sizeb & 0xFF); + memmove(input + 9 + sizea, datab, sizeb); + } + + gcry_md_hash_buffer(SM_HASH_ALGORITHM, output, input, totalsize); + gcry_mpi_scan(hash, GCRYMPI_FMT_USG, output, SM_DIGEST_SIZE, NULL); + free(input); + input = NULL; + + /* free memory */ + gcry_free(dataa); + if (b) gcry_free(datab); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* This method should be passed a pointer to an uninitialized buffer, + * and a list of mpis with a list length. When returns, the buffer will + * point to newly-allocated memory (using malloc) containing a + * reversible serialization. */ +static gcry_error_t serialize_mpi_array(unsigned char **buffer, int *buflen, + unsigned int count, gcry_mpi_t *mpis) +{ + size_t totalsize = 0, lenp, nextsize; + unsigned int i, j; + size_t *list_sizes = malloc(count * sizeof(size_t)); + unsigned char **tempbuffer = malloc(count * sizeof(unsigned char *)); + unsigned char *bufp; + + for (i=0; i<count; i++) { + gcry_mpi_aprint(GCRYMPI_FMT_USG, &(tempbuffer[i]), &(list_sizes[i]), + mpis[i]); + totalsize += list_sizes[i]; + } + + *buflen = (count+1)*4 + totalsize; + *buffer = malloc(*buflen * sizeof(char)); + + bufp = *buffer; + lenp = totalsize; + + write_int(count); + for(i=0; i<count; i++) + { + nextsize = list_sizes[i]; + write_int(nextsize); + + for(j=0; j<nextsize; j++) + bufp[j] = tempbuffer[i][j]; + + bufp += nextsize; + lenp -= nextsize; + gcry_free(tempbuffer[i]); + } + free(tempbuffer); + free(list_sizes); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Takes a buffer containing serialized and concatenated mpis + * and converts it to an array of gcry_mpi_t structs. + * The buffer is assumed to consist of a 4-byte int containing the + * number of mpis in the array, followed by {size, data} pairs for + * each mpi. If malformed, method returns GCRY_ERROR_INV_VALUE */ +static gcry_error_t unserialize_mpi_array(gcry_mpi_t **mpis, + unsigned int expcount, const unsigned char *buffer, const int buflen) +{ + unsigned int i; + size_t lenp = buflen; + unsigned int thecount = 0; + const unsigned char* bufp = buffer; + *mpis = NULL; + + read_int(thecount); + if (thecount != expcount) goto invval; + + *mpis = malloc(thecount * sizeof(gcry_mpi_t)); + + for (i=0; i<thecount; i++) { + (*mpis)[i] = NULL; + } + + for (i=0; i<thecount; i++) { + read_mpi((*mpis)[i]); + } + + return gcry_error(GPG_ERR_NO_ERROR); + +invval: + if (*mpis) { + for (i=0; i<thecount; i++) { + gcry_mpi_release((*mpis)[i]); + } + free(*mpis); + *mpis = NULL; + } + return gcry_error(GPG_ERR_INV_VALUE); +} + +/* Check that an MPI is in the right range to be a (non-unit) group + * element */ +static int check_group_elem(gcry_mpi_t g) +{ + if (gcry_mpi_cmp_ui(g, 2) < 0 || + gcry_mpi_cmp(g, SM_MODULUS_MINUS_2) > 0) { + return 1; + } + return 0; +} + +/* Check that an MPI is in the right range to be a (non-zero) exponent */ +static int check_expon(gcry_mpi_t x) +{ + if (gcry_mpi_cmp_ui(x, 1) < 0 || + gcry_mpi_cmp(x, SM_ORDER) >= 0) { + return 1; + } + return 0; +} + +/* + * Proof of knowledge of a discrete logarithm + */ +static gcry_error_t otrl_sm_proof_know_log(gcry_mpi_t *c, gcry_mpi_t *d, + const gcry_mpi_t g, const gcry_mpi_t x, int version) +{ + gcry_mpi_t r = randomExponent(); + gcry_mpi_t temp = gcry_mpi_snew(SM_MOD_LEN_BITS); + gcry_mpi_powm(temp, g, r, SM_MODULUS); + otrl_sm_hash(c, version, temp, NULL); + gcry_mpi_mulm(temp, x, *c, SM_ORDER); + gcry_mpi_subm(*d, r, temp, SM_ORDER); + gcry_mpi_release(temp); + gcry_mpi_release(r); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* + * Verify a proof of knowledge of a discrete logarithm. + * Checks that c = h(g^d x^c) + */ +static int otrl_sm_check_know_log(const gcry_mpi_t c, const gcry_mpi_t d, + const gcry_mpi_t g, const gcry_mpi_t x, int version) +{ + int comp; + + gcry_mpi_t gd = gcry_mpi_new(SM_MOD_LEN_BITS); /* g^d */ + gcry_mpi_t xc = gcry_mpi_new(SM_MOD_LEN_BITS); /* x^c */ + gcry_mpi_t gdxc = gcry_mpi_new(SM_MOD_LEN_BITS); /* (g^d x^c) */ + gcry_mpi_t hgdxc = NULL; /* h(g^d x^c) */ + + gcry_mpi_powm(gd, g, d, SM_MODULUS); + gcry_mpi_powm(xc, x, c, SM_MODULUS); + gcry_mpi_mulm(gdxc, gd, xc, SM_MODULUS); + otrl_sm_hash(&hgdxc, version, gdxc, NULL); + + comp = gcry_mpi_cmp(hgdxc, c); + gcry_mpi_release(gd); + gcry_mpi_release(xc); + gcry_mpi_release(gdxc); + gcry_mpi_release(hgdxc); + + return comp; +} + +/* + * Proof of knowledge of coordinates with first components being equal + */ +static gcry_error_t otrl_sm_proof_equal_coords(gcry_mpi_t *c, gcry_mpi_t *d1, + gcry_mpi_t *d2, const OtrlSMState *state, const gcry_mpi_t r, + int version) +{ + gcry_mpi_t r1 = randomExponent(); + gcry_mpi_t r2 = randomExponent(); + gcry_mpi_t temp1 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_t temp2 = gcry_mpi_new(SM_MOD_LEN_BITS); + + /* Compute the value of c, as c = h(g3^r1, g1^r1 g2^r2) */ + gcry_mpi_powm(temp1, state->g1, r1, SM_MODULUS); + gcry_mpi_powm(temp2, state->g2, r2, SM_MODULUS); + gcry_mpi_mulm(temp2, temp1, temp2, SM_MODULUS); + gcry_mpi_powm(temp1, state->g3, r1, SM_MODULUS); + otrl_sm_hash(c, version, temp1, temp2); + + /* Compute the d values, as d1 = r1 - r c, d2 = r2 - secret c */ + gcry_mpi_mulm(temp1, r, *c, SM_ORDER); + gcry_mpi_subm(*d1, r1, temp1, SM_ORDER); + + gcry_mpi_mulm(temp1, state->secret, *c, SM_ORDER); + gcry_mpi_subm(*d2, r2, temp1, SM_ORDER); + + /* All clear */ + gcry_mpi_release(r1); + gcry_mpi_release(r2); + gcry_mpi_release(temp1); + gcry_mpi_release(temp2); + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* + * Verify a proof of knowledge of coordinates with first components being equal + */ +static gcry_error_t otrl_sm_check_equal_coords(const gcry_mpi_t c, + const gcry_mpi_t d1, const gcry_mpi_t d2, const gcry_mpi_t p, + const gcry_mpi_t q, const OtrlSMState *state, int version) +{ + int comp; + + gcry_mpi_t temp1 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_t temp2 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_t temp3 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_t cprime = NULL; + + /* To verify, we test that hash(g3^d1 * p^c, g1^d1 * g2^d2 * q^c) = c + * If indeed c = hash(g3^r1, g1^r1 g2^r2), d1 = r1 - r*c, + * d2 = r2 - secret*c. And if indeed p = g3^r, q = g1^r * g2^secret + * Then we should have that: + * hash(g3^d1 * p^c, g1^d1 * g2^d2 * q^c) + * = hash(g3^(r1 - r*c + r*c), g1^(r1 - r*c + q*c) * + * g2^(r2 - secret*c + secret*c)) + * = hash(g3^r1, g1^r1 g2^r2) + * = c + */ + gcry_mpi_powm(temp2, state->g3, d1, SM_MODULUS); + gcry_mpi_powm(temp3, p, c, SM_MODULUS); + gcry_mpi_mulm(temp1, temp2, temp3, SM_MODULUS); + + gcry_mpi_powm(temp2, state->g1, d1, SM_MODULUS); + gcry_mpi_powm(temp3, state->g2, d2, SM_MODULUS); + gcry_mpi_mulm(temp2, temp2, temp3, SM_MODULUS); + gcry_mpi_powm(temp3, q, c, SM_MODULUS); + gcry_mpi_mulm(temp2, temp3, temp2, SM_MODULUS); + + otrl_sm_hash(&cprime, version, temp1, temp2); + + comp = gcry_mpi_cmp(c, cprime); + gcry_mpi_release(temp1); + gcry_mpi_release(temp2); + gcry_mpi_release(temp3); + gcry_mpi_release(cprime); + + return comp; +} + +/* + * Proof of knowledge of logs with exponents being equal + */ +static gcry_error_t otrl_sm_proof_equal_logs(gcry_mpi_t *c, gcry_mpi_t *d, + OtrlSMState *state, int version) +{ + gcry_mpi_t r = randomExponent(); + gcry_mpi_t temp1 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_t temp2 = gcry_mpi_new(SM_MOD_LEN_BITS); + + /* Compute the value of c, as c = h(g1^r, (Qa/Qb)^r) */ + gcry_mpi_powm(temp1, state->g1, r, SM_MODULUS); + gcry_mpi_powm(temp2, state->qab, r, SM_MODULUS); + otrl_sm_hash(c, version, temp1, temp2); + + /* Compute the d values, as d = r - x3 c */ + gcry_mpi_mulm(temp1, state->x3, *c, SM_ORDER); + gcry_mpi_subm(*d, r, temp1, SM_ORDER); + + /* All clear */ + gcry_mpi_release(r); + gcry_mpi_release(temp1); + gcry_mpi_release(temp2); + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* + * Verify a proof of knowledge of logs with exponents being equal + */ +static gcry_error_t otrl_sm_check_equal_logs(const gcry_mpi_t c, + const gcry_mpi_t d, const gcry_mpi_t r, const OtrlSMState *state, + int version) +{ + int comp; + + gcry_mpi_t temp1 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_t temp2 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_t temp3 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_t cprime = NULL; + + /* Here, we recall the exponents used to create g3. + * If we have previously seen g3o = g1^x where x is unknown + * during the DH exchange to produce g3, then we may proceed with: + * + * To verify, we test that hash(g1^d * g3o^c, qab^d * r^c) = c + * If indeed c = hash(g1^r1, qab^r1), d = r1- x * c + * And if indeed r = qab^x + * Then we should have that: + * hash(g1^d * g3o^c, qab^d r^c) + * = hash(g1^(r1 - x*c + x*c), qab^(r1 - x*c + x*c)) + * = hash(g1^r1, qab^r1) + * = c + */ + gcry_mpi_powm(temp2, state->g1, d, SM_MODULUS); + gcry_mpi_powm(temp3, state->g3o, c, SM_MODULUS); + gcry_mpi_mulm(temp1, temp2, temp3, SM_MODULUS); + + gcry_mpi_powm(temp3, state->qab, d, SM_MODULUS); + gcry_mpi_powm(temp2, r, c, SM_MODULUS); + gcry_mpi_mulm(temp2, temp3, temp2, SM_MODULUS); + + otrl_sm_hash(&cprime, version, temp1, temp2); + + comp = gcry_mpi_cmp(c, cprime); + gcry_mpi_release(temp1); + gcry_mpi_release(temp2); + gcry_mpi_release(temp3); + gcry_mpi_release(cprime); + + return comp; +} + +/* Create first message in SMP exchange. Input is Alice's secret value + * which this protocol aims to compare to Bob's. Output is a serialized + * mpi array whose elements correspond to the following: + * [0] = g2a, Alice's half of DH exchange to determine g2 + * [1] = c2, [2] = d2, Alice's ZK proof of knowledge of g2a exponent + * [3] = g3a, Alice's half of DH exchange to determine g3 + * [4] = c3, [5] = d3, Alice's ZK proof of knowledge of g3a exponent */ +gcry_error_t otrl_sm_step1(OtrlSMAliceState *astate, + const unsigned char* secret, int secretlen, + unsigned char** output, int* outputlen) +{ + /* Initialize the sm state or update the secret */ + gcry_mpi_t secret_mpi = NULL; + gcry_mpi_t *msg1; + + *output = NULL; + *outputlen = 0; + + gcry_mpi_scan(&secret_mpi, GCRYMPI_FMT_USG, secret, secretlen, NULL); + + if (! astate->g1) { + otrl_sm_state_init(astate); + } + gcry_mpi_set(astate->secret, secret_mpi); + gcry_mpi_release(secret_mpi); + astate->received_question = 0; + + otrl_sm_msg1_init(&msg1); + + astate->x2 = randomExponent(); + astate->x3 = randomExponent(); + + gcry_mpi_powm(msg1[0], astate->g1, astate->x2, SM_MODULUS); + otrl_sm_proof_know_log(&(msg1[1]), &(msg1[2]), astate->g1, astate->x2, 1); + + gcry_mpi_powm(msg1[3], astate->g1, astate->x3, SM_MODULUS); + otrl_sm_proof_know_log(&(msg1[4]), &(msg1[5]), astate->g1, astate->x3, 2); + + serialize_mpi_array(output, outputlen, SM_MSG1_LEN, msg1); + otrl_sm_msg_free(&msg1, SM_MSG1_LEN); + astate->sm_prog_state = OTRL_SMP_PROG_OK; + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Receive the first message in SMP exchange, which was generated by + * otrl_sm_step1. Input is saved until the user inputs their secret + * information. No output. */ +gcry_error_t otrl_sm_step2a(OtrlSMBobState *bstate, const unsigned char* input, + const int inputlen, int received_question) +{ + gcry_mpi_t *msg1; + gcry_error_t err; + + /* Initialize the sm state if needed */ + if (! bstate->g1) { + otrl_sm_state_init(bstate); + } + bstate->received_question = received_question; + bstate->sm_prog_state = OTRL_SMP_PROG_CHEATED; + + /* Read from input to find the mpis */ + err = unserialize_mpi_array(&msg1, SM_MSG1_LEN, input, inputlen); + + if (err != gcry_error(GPG_ERR_NO_ERROR)) return err; + + if (check_group_elem(msg1[0]) || check_expon(msg1[2]) || + check_group_elem(msg1[3]) || check_expon(msg1[5])) { + otrl_sm_msg_free(&msg1, SM_MSG1_LEN); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Store Alice's g3a value for later in the protocol */ + gcry_mpi_set(bstate->g3o, msg1[3]); + + /* Verify Alice's proofs */ + if (otrl_sm_check_know_log(msg1[1], msg1[2], bstate->g1, msg1[0], 1) || + otrl_sm_check_know_log(msg1[4], msg1[5], bstate->g1, msg1[3], 2)) { + otrl_sm_msg_free(&msg1, SM_MSG1_LEN); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Create Bob's half of the generators g2 and g3 */ + bstate->x2 = randomExponent(); + bstate->x3 = randomExponent(); + + /* Combine the two halves from Bob and Alice and determine g2 and g3 */ + gcry_mpi_powm(bstate->g2, msg1[0], bstate->x2, SM_MODULUS); + gcry_mpi_powm(bstate->g3, msg1[3], bstate->x3, SM_MODULUS); + + bstate->sm_prog_state = OTRL_SMP_PROG_OK; + + otrl_sm_msg_free(&msg1, SM_MSG1_LEN); + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Create second message in SMP exchange. Input is Bob's secret value. + * Information from earlier steps in the exchange is taken from Bob's + * state. Output is a serialized mpi array whose elements correspond + * to the following: + * [0] = g2b, Bob's half of DH exchange to determine g2 + * [1] = c2, [2] = d2, Bob's ZK proof of knowledge of g2b exponent + * [3] = g3b, Bob's half of DH exchange to determine g3 + * [4] = c3, [5] = d3, Bob's ZK proof of knowledge of g3b exponent + * [6] = pb, [7] = qb, Bob's halves of the (Pa/Pb) and (Qa/Qb) values + * [8] = cp, [9] = d5, [10] = d6, Bob's ZK proof that pb, qb formed correctly */ +gcry_error_t otrl_sm_step2b(OtrlSMBobState *bstate, const unsigned char* secret, + int secretlen, unsigned char **output, int* outputlen) +{ + /* Convert the given secret to the proper form and store it */ + gcry_mpi_t r, qb1, qb2; + gcry_mpi_t *msg2; + gcry_mpi_t secret_mpi = NULL; + + *output = NULL; + *outputlen = 0; + + gcry_mpi_scan(&secret_mpi, GCRYMPI_FMT_USG, secret, secretlen, NULL); + gcry_mpi_set(bstate->secret, secret_mpi); + gcry_mpi_release(secret_mpi); + + otrl_sm_msg2_init(&msg2); + + gcry_mpi_powm(msg2[0], bstate->g1, bstate->x2, SM_MODULUS); + otrl_sm_proof_know_log(&(msg2[1]), &(msg2[2]), bstate->g1, bstate->x2, 3); + + gcry_mpi_powm(msg2[3], bstate->g1, bstate->x3, SM_MODULUS); + otrl_sm_proof_know_log(&(msg2[4]), &(msg2[5]), bstate->g1, bstate->x3, 4); + + /* Calculate P and Q values for Bob */ + r = randomExponent(); + qb1 = gcry_mpi_new(SM_MOD_LEN_BITS); + qb2 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_powm(bstate->p, bstate->g3, r, SM_MODULUS); + gcry_mpi_set(msg2[6], bstate->p); + gcry_mpi_powm(qb1, bstate->g1, r, SM_MODULUS); + gcry_mpi_powm(qb2, bstate->g2, bstate->secret, SM_MODULUS); + gcry_mpi_mulm(bstate->q, qb1, qb2, SM_MODULUS); + gcry_mpi_set(msg2[7], bstate->q); + + otrl_sm_proof_equal_coords(&(msg2[8]), &(msg2[9]), + &(msg2[10]), bstate, r, 5); + + /* Convert to serialized form */ + serialize_mpi_array(output, outputlen, SM_MSG2_LEN, msg2); + + /* Free up memory for unserialized and intermediate values */ + gcry_mpi_release(r); + gcry_mpi_release(qb1); + gcry_mpi_release(qb2); + otrl_sm_msg_free(&msg2, SM_MSG2_LEN); + + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Create third message in SMP exchange. Input is a message generated + * by otrl_sm_step2b. Output is a serialized mpi array whose elements + * correspond to the following: + * [0] = pa, [1] = qa, Alice's halves of the (Pa/Pb) and (Qa/Qb) values + * [2] = cp, [3] = d5, [4] = d6, Alice's ZK proof that pa, qa formed correctly + * [5] = ra, calculated as (Qa/Qb)^x3 where x3 is the exponent used in g3a + * [6] = cr, [7] = d7, Alice's ZK proof that ra is formed correctly */ +gcry_error_t otrl_sm_step3(OtrlSMAliceState *astate, const unsigned char* input, + const int inputlen, unsigned char **output, int* outputlen) +{ + /* Read from input to find the mpis */ + gcry_mpi_t r, qa1, qa2, inv; + gcry_mpi_t *msg2; + gcry_mpi_t *msg3; + gcry_error_t err; + + *output = NULL; + *outputlen = 0; + astate->sm_prog_state = OTRL_SMP_PROG_CHEATED; + + err = unserialize_mpi_array(&msg2, SM_MSG2_LEN, input, inputlen); + if (err != gcry_error(GPG_ERR_NO_ERROR)) return err; + + if (check_group_elem(msg2[0]) || check_group_elem(msg2[3]) || + check_group_elem(msg2[6]) || check_group_elem(msg2[7]) || + check_expon(msg2[2]) || check_expon(msg2[5]) || + check_expon(msg2[9]) || check_expon(msg2[10])) { + otrl_sm_msg_free(&msg2, SM_MSG2_LEN); + return gcry_error(GPG_ERR_INV_VALUE); + } + + otrl_sm_msg3_init(&msg3); + + /* Store Bob's g3a value for later in the protocol */ + gcry_mpi_set(astate->g3o, msg2[3]); + + /* Verify Bob's knowledge of discrete log proofs */ + if (otrl_sm_check_know_log(msg2[1], msg2[2], astate->g1, msg2[0], 3) || + otrl_sm_check_know_log(msg2[4], msg2[5], astate->g1, msg2[3], 4)) { + otrl_sm_msg_free(&msg2, SM_MSG2_LEN); + otrl_sm_msg_free(&msg3, SM_MSG3_LEN); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Combine the two halves from Bob and Alice and determine g2 and g3 */ + gcry_mpi_powm(astate->g2, msg2[0], astate->x2, SM_MODULUS); + gcry_mpi_powm(astate->g3, msg2[3], astate->x3, SM_MODULUS); + + /* Verify Bob's coordinate equality proof */ + if (otrl_sm_check_equal_coords(msg2[8], msg2[9], msg2[10], msg2[6], msg2[7], + astate, 5)) { + otrl_sm_msg_free(&msg2, SM_MSG2_LEN); + otrl_sm_msg_free(&msg3, SM_MSG3_LEN); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Calculate P and Q values for Alice */ + r = randomExponent(); + qa1 = gcry_mpi_new(SM_MOD_LEN_BITS); + qa2 = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_powm(astate->p, astate->g3, r, SM_MODULUS); + gcry_mpi_set(msg3[0], astate->p); + gcry_mpi_powm(qa1, astate->g1, r, SM_MODULUS); + gcry_mpi_powm(qa2, astate->g2, astate->secret, SM_MODULUS); + gcry_mpi_mulm(astate->q, qa1, qa2, SM_MODULUS); + gcry_mpi_set(msg3[1], astate->q); + + otrl_sm_proof_equal_coords(&(msg3[2]), &(msg3[3]), &(msg3[4]), astate, + r, 6); + + /* Calculate Ra and proof */ + inv = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_invm(inv, msg2[6], SM_MODULUS); + gcry_mpi_mulm(astate->pab, astate->p, inv, SM_MODULUS); + gcry_mpi_invm(inv, msg2[7], SM_MODULUS); + gcry_mpi_mulm(astate->qab, astate->q, inv, SM_MODULUS); + gcry_mpi_powm(msg3[5], astate->qab, astate->x3, SM_MODULUS); + otrl_sm_proof_equal_logs(&(msg3[6]), &(msg3[7]), astate, 7); + + serialize_mpi_array(output, outputlen, SM_MSG3_LEN, msg3); + otrl_sm_msg_free(&msg2, SM_MSG2_LEN); + otrl_sm_msg_free(&msg3, SM_MSG3_LEN); + + gcry_mpi_release(r); + gcry_mpi_release(qa1); + gcry_mpi_release(qa2); + gcry_mpi_release(inv); + + astate->sm_prog_state = OTRL_SMP_PROG_OK; + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Create final message in SMP exchange. Input is a message generated + * by otrl_sm_step3. Output is a serialized mpi array whose elements + * correspond to the following: + * [0] = rb, calculated as (Qa/Qb)^x3 where x3 is the exponent used in g3b + * [1] = cr, [2] = d7, Bob's ZK proof that rb is formed correctly + * This method also checks if Alice and Bob's secrets were the same. If + * so, it returns NO_ERROR. If the secrets differ, an INV_VALUE error is + * returned instead. */ +gcry_error_t otrl_sm_step4(OtrlSMBobState *bstate, const unsigned char* input, + const int inputlen, unsigned char **output, int* outputlen) +{ + /* Read from input to find the mpis */ + int comp; + gcry_mpi_t inv, rab; + gcry_mpi_t *msg3; + gcry_mpi_t *msg4; + gcry_error_t err; + err = unserialize_mpi_array(&msg3, SM_MSG3_LEN, input, inputlen); + + *output = NULL; + *outputlen = 0; + bstate->sm_prog_state = OTRL_SMP_PROG_CHEATED; + + if (err != gcry_error(GPG_ERR_NO_ERROR)) return err; + + otrl_sm_msg4_init(&msg4); + + if (check_group_elem(msg3[0]) || check_group_elem(msg3[1]) || + check_group_elem(msg3[5]) || check_expon(msg3[3]) || + check_expon(msg3[4]) || check_expon(msg3[7])) { + otrl_sm_msg_free(&msg3, SM_MSG3_LEN); + otrl_sm_msg_free(&msg4, SM_MSG4_LEN); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Verify Alice's coordinate equality proof */ + if (otrl_sm_check_equal_coords(msg3[2], msg3[3], msg3[4], msg3[0], msg3[1], + bstate, 6)) { + otrl_sm_msg_free(&msg3, SM_MSG3_LEN); + otrl_sm_msg_free(&msg4, SM_MSG4_LEN); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Find Pa/Pb and Qa/Qb */ + inv = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_invm(inv, bstate->p, SM_MODULUS); + gcry_mpi_mulm(bstate->pab, msg3[0], inv, SM_MODULUS); + gcry_mpi_invm(inv, bstate->q, SM_MODULUS); + gcry_mpi_mulm(bstate->qab, msg3[1], inv, SM_MODULUS); + + /* Verify Alice's log equality proof */ + if (otrl_sm_check_equal_logs(msg3[6], msg3[7], msg3[5], bstate, 7)) { + otrl_sm_msg_free(&msg3, SM_MSG3_LEN); + otrl_sm_msg_free(&msg4, SM_MSG4_LEN); + gcry_mpi_release(inv); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Calculate Rb and proof */ + gcry_mpi_powm(msg4[0], bstate->qab, bstate->x3, SM_MODULUS); + otrl_sm_proof_equal_logs(&(msg4[1]), &(msg4[2]), bstate, 8); + + serialize_mpi_array(output, outputlen, SM_MSG4_LEN, msg4); + + /* Calculate Rab and verify that secrets match */ + rab = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_powm(rab, msg3[5], bstate->x3, SM_MODULUS); + comp = gcry_mpi_cmp(rab, bstate->pab); + + /* Clean up everything allocated in this step */ + otrl_sm_msg_free(&msg3, SM_MSG3_LEN); + otrl_sm_msg_free(&msg4, SM_MSG4_LEN); + gcry_mpi_release(rab); + gcry_mpi_release(inv); + + bstate->sm_prog_state = comp ? OTRL_SMP_PROG_FAILED : + OTRL_SMP_PROG_SUCCEEDED; + + if (comp) + return gcry_error(GPG_ERR_INV_VALUE); + else + return gcry_error(GPG_ERR_NO_ERROR); +} + +/* Receives the final SMP message, which was generated in otrl_sm_step. + * This method checks if Alice and Bob's secrets were the same. If + * so, it returns NO_ERROR. If the secrets differ, an INV_VALUE error is + * returned instead. */ +gcry_error_t otrl_sm_step5(OtrlSMAliceState *astate, const unsigned char* input, + const int inputlen) +{ + /* Read from input to find the mpis */ + int comp; + gcry_mpi_t rab; + gcry_mpi_t *msg4; + gcry_error_t err; + err = unserialize_mpi_array(&msg4, SM_MSG4_LEN, input, inputlen); + astate->sm_prog_state = OTRL_SMP_PROG_CHEATED; + + if (err != gcry_error(GPG_ERR_NO_ERROR)) return err; + + if (check_group_elem(msg4[0]) || check_expon(msg4[2])) { + otrl_sm_msg_free(&msg4, SM_MSG4_LEN); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Verify Bob's log equality proof */ + if (otrl_sm_check_equal_logs(msg4[1], msg4[2], msg4[0], astate, 8)) { + otrl_sm_msg_free(&msg4, SM_MSG4_LEN); + return gcry_error(GPG_ERR_INV_VALUE); + } + + /* Calculate Rab and verify that secrets match */ + rab = gcry_mpi_new(SM_MOD_LEN_BITS); + gcry_mpi_powm(rab, msg4[0], astate->x3, SM_MODULUS); + + comp = gcry_mpi_cmp(rab, astate->pab); + gcry_mpi_release(rab); + otrl_sm_msg_free(&msg4, SM_MSG4_LEN); + + astate->sm_prog_state = comp ? OTRL_SMP_PROG_FAILED : + OTRL_SMP_PROG_SUCCEEDED; + + if (comp) + return gcry_error(GPG_ERR_INV_VALUE); + else + return gcry_error(GPG_ERR_NO_ERROR); +} diff --git a/comm/third_party/libotr/src/sm.h b/comm/third_party/libotr/src/sm.h new file mode 100644 index 0000000000..53703ff301 --- /dev/null +++ b/comm/third_party/libotr/src/sm.h @@ -0,0 +1,84 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Chris Alexander, Willy Lew, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __SM_H__ +#define __SM_H__ + +#include <gcrypt.h> + +#define SM_HASH_ALGORITHM GCRY_MD_SHA256 +#define SM_DIGEST_SIZE 32 + +typedef enum { + OTRL_SMP_EXPECT1, + OTRL_SMP_EXPECT2, + OTRL_SMP_EXPECT3, + OTRL_SMP_EXPECT4, + OTRL_SMP_EXPECT5 +} NextExpectedSMP; + +typedef enum { + OTRL_SMP_PROG_OK = 0, /* All is going fine so far */ + OTRL_SMP_PROG_CHEATED = -2, /* Some verification failed */ + OTRL_SMP_PROG_FAILED = -1, /* The secrets didn't match */ + OTRL_SMP_PROG_SUCCEEDED = 1 /* The SMP completed successfully */ +} OtrlSMProgState; + +typedef struct { + gcry_mpi_t secret, x2, x3, g1, g2, g3, g3o, p, q, pab, qab; + NextExpectedSMP nextExpected; + int received_question; /* 1 if we received a question in an SMP1Q TLV */ + OtrlSMProgState sm_prog_state; +} OtrlSMState; + +typedef OtrlSMState OtrlSMAliceState; +typedef OtrlSMState OtrlSMBobState; + +/* + * Call this once, at plugin load time. It sets up the modulus and + * generator MPIs. + */ +void otrl_sm_init(void); + +/* + * Initialize the fields of a SM state. + */ +void otrl_sm_state_new(OtrlSMState *smst); + +/* + * Initialize the fields of a SM state. Called the first time that + * a user begins an SMP session. + */ +void otrl_sm_state_init(OtrlSMState *smst); + +/* + * Deallocate the contents of a OtrlSMState (but not the OtrlSMState + * itself) + */ +void otrl_sm_state_free(OtrlSMState *smst); + +gcry_error_t otrl_sm_step1(OtrlSMAliceState *astate, const unsigned char* secret, int secretlen, unsigned char** output, int* outputlen); +gcry_error_t otrl_sm_step2a(OtrlSMBobState *bstate, const unsigned char* input, const int inputlen, int received_question); +gcry_error_t otrl_sm_step2b(OtrlSMBobState *bstate, const unsigned char* secret, int secretlen, unsigned char **output, int* outputlen); +gcry_error_t otrl_sm_step3(OtrlSMAliceState *astate, const unsigned char* input, const int inputlen, unsigned char **output, int* outputlen); +gcry_error_t otrl_sm_step4(OtrlSMBobState *bstate, const unsigned char* input, const int inputlen, unsigned char **output, int* outputlen); +gcry_error_t otrl_sm_step5(OtrlSMAliceState *astate, const unsigned char* input, const int inputlen); + +#endif diff --git a/comm/third_party/libotr/src/tlv.c b/comm/third_party/libotr/src/tlv.c new file mode 100644 index 0000000000..fa76c3d76c --- /dev/null +++ b/comm/third_party/libotr/src/tlv.c @@ -0,0 +1,109 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Chris Alexander, Willy Lew, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include <stdlib.h> +#include <string.h> +#include <assert.h> + +#include "tlv.h" + +/* Make a single TLV, copying the supplied data */ +OtrlTLV *otrl_tlv_new(unsigned short type, unsigned short len, + const unsigned char *data) +{ + OtrlTLV *tlv = malloc(sizeof(OtrlTLV)); + assert(tlv != NULL); + tlv->type = type; + tlv->len = len; + tlv->data = malloc(len + 1); + assert(tlv->data != NULL); + memmove(tlv->data, data, len); + tlv->data[tlv->len] = '\0'; + tlv->next = NULL; + return tlv; +} + +/* Construct a chain of TLVs from the given data */ +OtrlTLV *otrl_tlv_parse(const unsigned char *serialized, size_t seriallen) +{ + OtrlTLV *tlv = NULL; + OtrlTLV **tlvp = &tlv; + while (seriallen >= 4) { + unsigned short type = (serialized[0] << 8) + serialized[1]; + unsigned short len = (serialized[2] << 8) + serialized[3]; + serialized += 4; seriallen -=4; + if (seriallen < len) break; + *tlvp = otrl_tlv_new(type, len, serialized); + serialized += len; + seriallen -= len; + tlvp = &((*tlvp)->next); + } + return tlv; +} + +/* Deallocate a chain of TLVs */ +void otrl_tlv_free(OtrlTLV *tlv) +{ + while (tlv) { + OtrlTLV *next = tlv->next; + free(tlv->data); + free(tlv); + tlv = next; + } +} + +/* Find the serialized length of a chain of TLVs */ +size_t otrl_tlv_seriallen(const OtrlTLV *tlv) +{ + size_t totlen = 0; + while (tlv) { + totlen += tlv->len + 4; + tlv = tlv->next; + } + return totlen; +} + +/* Serialize a chain of TLVs. The supplied buffer must already be large + * enough. */ +void otrl_tlv_serialize(unsigned char *buf, const OtrlTLV *tlv) +{ + while (tlv) { + buf[0] = (tlv->type >> 8) & 0xff; + buf[1] = tlv->type & 0xff; + buf[2] = (tlv->len >> 8) & 0xff; + buf[3] = tlv->len & 0xff; + buf += 4; + memmove(buf, tlv->data, tlv->len); + buf += tlv->len; + tlv = tlv->next; + } +} + +/* Return the first TLV with the given type in the chain, or NULL if one + * isn't found. (The tlvs argument isn't const because the return type + * needs to be non-const.) */ +OtrlTLV *otrl_tlv_find(OtrlTLV *tlvs, unsigned short type) +{ + while (tlvs) { + if (tlvs->type == type) return tlvs; + tlvs = tlvs->next; + } + return NULL; +} diff --git a/comm/third_party/libotr/src/tlv.h b/comm/third_party/libotr/src/tlv.h new file mode 100644 index 0000000000..0bfeeb27fd --- /dev/null +++ b/comm/third_party/libotr/src/tlv.h @@ -0,0 +1,78 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Chris Alexander, Willy Lew, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TLV_H__ +#define __TLV_H__ + +typedef struct s_OtrlTLV { + unsigned short type; + unsigned short len; + unsigned char *data; + struct s_OtrlTLV *next; +} OtrlTLV; + +/* TLV types */ + +/* This is just padding for the encrypted message, and should be ignored. */ +#define OTRL_TLV_PADDING 0x0000 + +/* The sender has thrown away his OTR session keys with you */ +#define OTRL_TLV_DISCONNECTED 0x0001 + +/* The message contains a step in the Socialist Millionaires' Protocol. */ +#define OTRL_TLV_SMP1 0x0002 +#define OTRL_TLV_SMP2 0x0003 +#define OTRL_TLV_SMP3 0x0004 +#define OTRL_TLV_SMP4 0x0005 +#define OTRL_TLV_SMP_ABORT 0x0006 +/* Like OTRL_TLV_SMP1, but there's a question for the buddy at the + * beginning */ +#define OTRL_TLV_SMP1Q 0x0007 +/* Tell the application the current "extra" symmetric key */ +/* XXX: Document this in the protocol spec: + * The body of the TLV will begin with a 4-byte indication of what this + * symmetric key will be used for (file transfer, voice encryption, + * etc.). After that, the contents are use-specific (which file, etc.). + * There are no currently defined uses. */ +#define OTRL_TLV_SYMKEY 0x0008 + +/* Make a single TLV, copying the supplied data */ +OtrlTLV *otrl_tlv_new(unsigned short type, unsigned short len, + const unsigned char *data); + +/* Construct a chain of TLVs from the given data */ +OtrlTLV *otrl_tlv_parse(const unsigned char *serialized, size_t seriallen); + +/* Deallocate a chain of TLVs */ +void otrl_tlv_free(OtrlTLV *tlv); + +/* Find the serialized length of a chain of TLVs */ +size_t otrl_tlv_seriallen(const OtrlTLV *tlv); + +/* Serialize a chain of TLVs. The supplied buffer must already be large + * enough. */ +void otrl_tlv_serialize(unsigned char *buf, const OtrlTLV *tlv); + +/* Return the first TLV with the given type in the chain, or NULL if one + * isn't found. (The tlvs argument isn't const because the return type + * needs to be non-const.) */ +OtrlTLV *otrl_tlv_find(OtrlTLV *tlvs, unsigned short type); + +#endif diff --git a/comm/third_party/libotr/src/userstate.c b/comm/third_party/libotr/src/userstate.c new file mode 100644 index 0000000000..58f5a05578 --- /dev/null +++ b/comm/third_party/libotr/src/userstate.c @@ -0,0 +1,57 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Rob Smits, Chris Alexander, + * Willy Lew, Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* system headers */ +#include <stdlib.h> + +/* libotr headers */ +#include "context.h" +#include "privkey.h" +#include "userstate.h" + +/* Create a new OtrlUserState. Most clients will only need one of + * these. A OtrlUserState encapsulates the list of known fingerprints + * and the list of private keys; if you have separate files for these + * things for (say) different users, use different OtrlUserStates. If + * you've got only one user, with multiple accounts all stored together + * in the same fingerprint store and privkey store files, use just one + * OtrlUserState. */ +OtrlUserState otrl_userstate_create(void) +{ + OtrlUserState us = malloc(sizeof(struct s_OtrlUserState)); + if (!us) return NULL; + us->context_root = NULL; + us->privkey_root = NULL; + us->instag_root = NULL; + us->pending_root = NULL; + us->timer_running = 0; + return us; +} + +/* Free a OtrlUserState. If you have a timer running for this userstate, +stop it before freeing the userstate. */ +void otrl_userstate_free(OtrlUserState us) +{ + otrl_context_forget_all(us); + otrl_privkey_forget_all(us); + otrl_privkey_pending_forget_all(us); + otrl_instag_forget_all(us); + free(us); +} diff --git a/comm/third_party/libotr/src/userstate.h b/comm/third_party/libotr/src/userstate.h new file mode 100644 index 0000000000..3f1e3b89cf --- /dev/null +++ b/comm/third_party/libotr/src/userstate.h @@ -0,0 +1,51 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2012 Ian Goldberg, Rob Smits, Chris Alexander, + * Willy Lew, Lisa Du, Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __USERSTATE_H__ +#define __USERSTATE_H__ + +typedef struct s_OtrlUserState* OtrlUserState; + +#include "instag.h" +#include "context.h" +#include "privkey-t.h" + +struct s_OtrlUserState { + ConnContext *context_root; + OtrlPrivKey *privkey_root; + OtrlInsTag *instag_root; + OtrlPendingPrivKey *pending_root; + int timer_running; +}; + +/* Create a new OtrlUserState. Most clients will only need one of + * these. A OtrlUserState encapsulates the list of known fingerprints + * and the list of private keys; if you have separate files for these + * things for (say) different users, use different OtrlUserStates. If + * you've got only one user, with multiple accounts all stored together + * in the same fingerprint store and privkey store files, use just one + * OtrlUserState. */ +OtrlUserState otrl_userstate_create(void); + +/* Free a OtrlUserState. If you have a timer running for this userstate, +stop it before freeing the userstate. */ +void otrl_userstate_free(OtrlUserState us); + +#endif diff --git a/comm/third_party/libotr/src/version.h b/comm/third_party/libotr/src/version.h new file mode 100644 index 0000000000..c7f990fb50 --- /dev/null +++ b/comm/third_party/libotr/src/version.h @@ -0,0 +1,31 @@ +/* + * Off-the-Record Messaging library + * Copyright (C) 2004-2016 Ian Goldberg, David Goulet, Rob Smits, + * Chris Alexander, Willy Lew, Lisa Du, + * Nikita Borisov + * <otr@cypherpunks.ca> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of version 2.1 of the GNU Lesser General + * Public License as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __VERSION_H__ +#define __VERSION_H__ + +#define OTRL_VERSION "4.1.1" + +#define OTRL_VERSION_MAJOR 4 +#define OTRL_VERSION_MINOR 1 +#define OTRL_VERSION_SUB 1 + +#endif |