[mICQ] [patch] OTR support

[Robert Bartel]

Hello,

I wrote a patch which adds OTR encryption support to micq using libotr.

So what is OTR?

OTR stands for Off-the-Record messaging and is an encryption/authentication
protocol intended for instant messaging. Main features are:

-encryption: session keys are thrown away after conversation, so even if your
 private key gets compromised later on, the old messages should still be safe
 (unlike e.g. PGP).

-authentication of messages: MACs are used, so even if your partner publishes
 the messages of the conversation afterwards, you can deny them (unlike digital
 signatures).

For more details and the OTR library see <http://www.cypherpunks.ca/otr/>.
At the moment there exist OTR plugins for Gaim (now Pidgin), Trillian Pro,
Miranda, Adium and Kopete. Additionally an AIM OTR proxy is available. Since
OTR is mostly independent of the underlying IM-network, it would be a good
thing to have in micq. Additionally libotr is under LGPL, so there should be
no licensing problem.

Now to the micq user visible changes:

The patch adds a new contact option "otrpolicy" and the command "otr" to micq.
Valid values for otrpolicy are:
-never:
    Never use OTR with that contact
-always:
    Never send unencrypted messages
-try:
    A special whitespace-tag is appended to the first message. If the
    remote site is OTR enabled it will start the encryption, otherwise
    the conversation will remain unencrypted. (this is the default)
-manual:
    Encryption has to be enabled manually.

The otr command consists of several subcommands:
([] is optional, <> is mandatory)
-otr list  [contact]:
    Lists the states of OTR sessions.
-otr start <contact>
-otr stop  <contact>:
    Try to start/stop an OTR session with a contact.
-otr trust <contact> [string]:
    Prints/sets a trust value for the active fingerprint of a contact.
    (Can be any string to identify the fingerprint)
-otr genkey:
    Generate a private signing key for the active account (used for
    authentication at the beginning of a session).
-otr keys:
    Lists all private keys (fingerprints).

The userinterface can certainly be improved. For now I tried only to
implement the core functionality.
There are some new files which are placed in the .micq directory: "otr.key"
for the private keys, "otr.fpr" for the known fingerprints with their trust
data and "otr.log" for logging done by libotr.

Now some details of the implementation:

All OTR functions are in util_otr.c. Basically there are the initialization
and cleanup routines otr_init() and otr_end(), which are called from micq.c
before and after the main loop. Then there are otr_msg_in() and otr_msg_out()
which are used to pass all incoming (IMSrvMsgFat() in im_response.c) and
outgoing (IMCliMsg() in im_request.c) messages to libotr. Libotr takes care of
en-/decryption and the policy. In order to do that, it keeps the states of the
connections and uses callbacks (e.g. to display notifications, inject messages
or get the policy).

There surely are bugs. Here are some possible problems:

-otr_end() tries to close all encrypted sessions, causing libotr to send
 messages. Does this still work after the main loop is left?
-Generating a private key can take a long time, since libgcrypt uses
 /dev/random, which might block. This could stop micq when there is no key and
 so the create_privkey() callback is used while receiving/sending a message.
 For now otr_init() tries to generate a new key if none is found at the start
 of micq.
-libotr uses a user name and a protocol name to identify contacts. I used the
 screen and type fields to set them. Seems to work for icq, but what about
 jabber? There could be equal user names on different servers.
 There might be bugs in the mapping between a micq contact and a libotr context.
 (this could be improved by using the app_data field of a context).
-Sometimes libotr uses HTML code in messages/notifications, which should be
 stripped off before display.


I hope this code is somehow useful and can be integrated.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: micq-otr.patch.gz
Type: application/x-gzip
Size: 10509 bytes
Desc: not available
Url : http://micq.org/pipermail/micq-list/attachments/20070509/98489c4b/attachment.bin