/* Create an OTR Data message. Pass the plaintext as msg, and an * optional chain of TLVs. A newly-allocated string will be returned in * *encmessagep. */ gcry_error_t otrl_proto_create_data(char **encmessagep, ConnContext *context, const char *msg, const OtrlTLV *tlvs, unsigned char flags) { size_t justmsglen = strlen(msg); size_t msglen = justmsglen + 1 + otrl_tlv_seriallen(tlvs); size_t buflen; size_t pubkeylen; unsigned char *buf = NULL; unsigned char *bufp; size_t lenp; DH_sesskeys *sess = &(context->sesskeys[1][0]); gcry_error_t err; size_t reveallen = 20 * context->numsavedkeys; size_t base64len; char *base64buf = NULL; unsigned char *msgbuf = NULL; enum gcry_mpi_format format = GCRYMPI_FMT_USG; char *msgdup; int version = context->protocol_version; /* Make sure we're actually supposed to be able to encrypt */ if (context->msgstate != OTRL_MSGSTATE_ENCRYPTED || context->their_keyid == 0) { return gcry_error(GPG_ERR_CONFLICT); } /* We need to copy the incoming msg, since it might be an alias for * context->lastmessage, which we'll be freeing soon. */ msgdup = gcry_malloc_secure(justmsglen + 1); if (msgdup == NULL) { return gcry_error(GPG_ERR_ENOMEM); } strcpy(msgdup, msg); *encmessagep = NULL; /* Header, send keyid, recv keyid, counter, msg len, msg * len of revealed mac keys, revealed mac keys, MAC */ buflen = 3 + (version == 2 ? 1 : 0) + 4 + 4 + 8 + 4 + msglen + 4 + reveallen + 20; gcry_mpi_print(format, NULL, 0, &pubkeylen, context->our_dh_key.pub); buflen += pubkeylen + 4; buf = malloc(buflen); msgbuf = gcry_malloc_secure(msglen); if (buf == NULL || msgbuf == NULL) { free(buf); gcry_free(msgbuf); gcry_free(msgdup); return gcry_error(GPG_ERR_ENOMEM); } memmove(msgbuf, msgdup, justmsglen); msgbuf[justmsglen] = '\0'; otrl_tlv_serialize(msgbuf + justmsglen + 1, tlvs); bufp = buf; lenp = buflen; if (version == 1) { memmove(bufp, "\x00\x01\x03", 3); /* header */ } else { memmove(bufp, "\x00\x02\x03", 3); /* header */ } debug_data("Header", bufp, 3); bufp += 3; lenp -= 3; if (version == 2) { bufp[0] = flags; bufp += 1; lenp -= 1; } write_int(context->our_keyid-1); /* sender keyid */ debug_int("Sender keyid", bufp-4); write_int(context->their_keyid); /* recipient keyid */ debug_int("Recipient keyid", bufp-4); write_mpi(context->our_dh_key.pub, pubkeylen, "Y"); /* Y */ otrl_dh_incctr(sess->sendctr); memmove(bufp, sess->sendctr, 8); /* Counter (top 8 bytes only) */ debug_data("Counter", bufp, 8); bufp += 8; lenp -= 8; write_int(msglen); /* length of encrypted data */ debug_int("Msg len", bufp-4); err = gcry_cipher_reset(sess->sendenc); if (err) goto err; err = gcry_cipher_setctr(sess->sendenc, sess->sendctr, 16); if (err) goto err; err = gcry_cipher_encrypt(sess->sendenc, bufp, msglen, msgbuf, msglen); if (err) goto err; /* encrypted data */ debug_data("Enc data", bufp, msglen); bufp += msglen; lenp -= msglen; gcry_md_reset(sess->sendmac); gcry_md_write(sess->sendmac, buf, bufp-buf); memmove(bufp, gcry_md_read(sess->sendmac, GCRY_MD_SHA1), 20); debug_data("MAC", bufp, 20); bufp += 20; /* MAC */ lenp -= 20; write_int(reveallen); /* length of revealed MAC keys */ debug_int("Revealed MAC length", bufp-4); if (reveallen > 0) { memmove(bufp, context->saved_mac_keys, reveallen); debug_data("Revealed MAC data", bufp, reveallen); bufp += reveallen; lenp -= reveallen; free(context->saved_mac_keys); context->saved_mac_keys = NULL; context->numsavedkeys = 0; } assert(lenp == 0); /* Make the base64-encoding. */ base64len = ((buflen + 2) / 3) * 4; base64buf = malloc(5 + base64len + 1 + 1); if (base64buf == NULL) { err = gcry_error(GPG_ERR_ENOMEM); goto err; } memmove(base64buf, "?OTR:", 5); otrl_base64_encode(base64buf+5, buf, buflen); base64buf[5 + base64len] = '.'; base64buf[5 + base64len + 1] = '\0'; free(buf); gcry_free(msgbuf); *encmessagep = base64buf; gcry_free(context->lastmessage); context->lastmessage = NULL; context->may_retransmit = 0; if (msglen > 0) { const char *prefix = "[resent] "; size_t prefixlen = strlen(prefix); if (!strncmp(prefix, msgdup, prefixlen)) { /* The prefix is already there. Don't add it again. */ prefix = ""; prefixlen = 0; } context->lastmessage = gcry_malloc_secure(prefixlen + justmsglen + 1); if (context->lastmessage) { strcpy(context->lastmessage, prefix); strcat(context->lastmessage, msgdup); } } gcry_free(msgdup); return gcry_error(GPG_ERR_NO_ERROR); err: free(buf); gcry_free(msgbuf); gcry_free(msgdup); *encmessagep = NULL; return err; }
/* Recalculate the MAC on the message, base64-encode the resulting MAC'd * message, and put on the appropriate header and footer. Return a * newly-allocated pointer to the result, which the caller will have to * free(). */ char *remac_datamsg(DataMsg datamsg, unsigned char mackey[20]) { size_t rawlen, lenp; size_t ylen; size_t base64len; char *outmsg; unsigned char *raw, *bufp; unsigned char version = datamsg->version; /* Calculate the size of the message that will result */ gcry_mpi_print(GCRYMPI_FMT_USG, NULL, 0, &ylen, datamsg->y); rawlen = 3 + (version == 3 ? 8 : 0) + (version == 2 || version == 3 ? 1 : 0) + 4 + 4 + 4 + ylen + 8 + 4 + datamsg->encmsglen + 20 + 4 + datamsg->mackeyslen; /* Construct the new raw message (note that some of the pieces may * have been altered, so we construct it from scratch). */ raw = malloc(rawlen); if (!raw) { fprintf(stderr, "Out of memory!\n"); exit(1); } bufp = raw; lenp = rawlen; datamsg->macstart = raw; datamsg->macend = NULL; free(datamsg->raw); datamsg->raw = raw; datamsg->rawlen = rawlen; memmove(bufp, "\x00", 1); memmove(bufp+1, &version, 1); memmove(bufp+2, "\x03", 1); bufp += 3; lenp -= 3; if (version == 3) { write_int(datamsg->sender_instance); write_int(datamsg->receiver_instance); } if (version == 2 || version == 3) { bufp[0] = datamsg->flags; bufp += 1; lenp -= 1; } write_int(datamsg->sender_keyid); write_int(datamsg->rcpt_keyid); write_mpi(datamsg->y, ylen); write_raw(datamsg->ctr, 8); write_int(datamsg->encmsglen); write_raw(datamsg->encmsg, datamsg->encmsglen); datamsg->macend = bufp; /* Recalculate the MAC */ sha1hmac(datamsg->mac, mackey, datamsg->macstart, datamsg->macend - datamsg->macstart); write_raw(datamsg->mac, 20); write_int(datamsg->mackeyslen); write_raw(datamsg->mackeys, datamsg->mackeyslen); if (lenp != 0) { fprintf(stderr, "Error creating OTR Data Message.\n"); exit(1); } base64len = 5 + ((datamsg->rawlen + 2) / 3) * 4 + 1 + 1; outmsg = malloc(base64len); if (!outmsg) return NULL; memmove(outmsg, "?OTR:", 5); otrl_base64_encode(outmsg + 5, datamsg->raw, datamsg->rawlen); strcpy(outmsg + base64len - 2, "."); return outmsg; }