@@ -1,6 +1,6 @@

 #!/bin/sh

-VNDR_COMMIT=a6e196d8b4b0cbbdc29aebdb20c59ac6926bb384

+VNDR_COMMIT=81cb8916aad3c8d06193f008dba3e16f82851f52

 install_vndr() {

 	echo "Install vndr version $VNDR_COMMIT"

@@ -9,10 +9,7 @@ validate_vendor_diff(){

 	unset IFS

 	if [ ${#files[@]} -gt 0 ]; then

-		# Remove vendor/ first so  that anything not included in vendor.conf will

-		# cause the validation to fail.

-		ls -d vendor/* | xargs rm -rf

-		# run vndr to recreate vendor/

+		# recreate vendor/

 		vndr

 		# check if any files have changed

 		diffs="$(git status --porcelain -- vendor 2>/dev/null)"

new file mode 100644

@@ -0,0 +1,197 @@

+// Copyright 2012 The Go Authors. All rights reserved.

+// Use of this source code is governed by a BSD-style

+// license that can be found in the LICENSE file.

+

+// This code can be compiled and used to test the otr package against libotr.

+// See otr_test.go.

+

+// +build ignore

+

+#include <stdio.h>

+#include <stdlib.h>

+#include <unistd.h>

+

+#include <proto.h>

+#include <message.h>

+#include <privkey.h>

+

+static int g_session_established = 0;

+

+OtrlPolicy policy(void *opdata, ConnContext *context) {

+  return OTRL_POLICY_ALWAYS;

+}

+

+int is_logged_in(void *opdata, const char *accountname, const char *protocol,

+                 const char *recipient) {

+  return 1;

+}

+

+void inject_message(void *opdata, const char *accountname, const char *protocol,

+                    const char *recipient, const char *message) {

+  printf("%s\n", message);

+  fflush(stdout);

+  fprintf(stderr, "libotr helper sent: %s\n", message);

+}

+

+void update_context_list(void *opdata) {}

+

+void new_fingerprint(void *opdata, OtrlUserState us, const char *accountname,

+                     const char *protocol, const char *username,

+                     unsigned char fingerprint[20]) {

+  fprintf(stderr, "NEW FINGERPRINT\n");

+  g_session_established = 1;

+}

+

+void write_fingerprints(void *opdata) {}

+

+void gone_secure(void *opdata, ConnContext *context) {}

+

+void gone_insecure(void *opdata, ConnContext *context) {}

+

+void still_secure(void *opdata, ConnContext *context, int is_reply) {}

+

+int max_message_size(void *opdata, ConnContext *context) { return 99999; }

+

+const char *account_name(void *opdata, const char *account,

+                         const char *protocol) {

+  return "ACCOUNT";

+}

+

+void account_name_free(void *opdata, const char *account_name) {}

+

+const char *error_message(void *opdata, ConnContext *context,

+                          OtrlErrorCode err_code) {

+  return "ERR";

+}

+

+void error_message_free(void *opdata, const char *msg) {}

+

+void resent_msg_prefix_free(void *opdata, const char *prefix) {}

+

+void handle_smp_event(void *opdata, OtrlSMPEvent smp_event,

+                      ConnContext *context, unsigned short progress_event,

+                      char *question) {}

+

+void handle_msg_event(void *opdata, OtrlMessageEvent msg_event,

+                      ConnContext *context, const char *message,

+                      gcry_error_t err) {

+  fprintf(stderr, "msg event: %d %s\n", msg_event, message);

+}

+

+OtrlMessageAppOps uiops = {

+    policy,

+    NULL,

+    is_logged_in,

+    inject_message,

+    update_context_list,

+    new_fingerprint,

+    write_fingerprints,

+    gone_secure,

+    gone_insecure,

+    still_secure,

+    max_message_size,

+    account_name,

+    account_name_free,

+    NULL, /* received_symkey */

+    error_message,

+    error_message_free,

+    NULL, /* resent_msg_prefix */

+    resent_msg_prefix_free,

+    handle_smp_event,

+    handle_msg_event,

+    NULL /* create_instag */,

+    NULL /* convert_msg */,

+    NULL /* convert_free */,

+    NULL /* timer_control */,

+};

+

+static const char kPrivateKeyData[] =

+    "(privkeys (account (name \"account\") (protocol proto) (private-key (dsa "

+    "(p "

+    "#00FC07ABCF0DC916AFF6E9AE47BEF60C7AB9B4D6B2469E436630E36F8A489BE812486A09F"

+    "30B71224508654940A835301ACC525A4FF133FC152CC53DCC59D65C30A54F1993FE13FE63E"

+    "5823D4C746DB21B90F9B9C00B49EC7404AB1D929BA7FBA12F2E45C6E0A651689750E8528AB"

+    "8C031D3561FECEE72EBB4A090D450A9B7A857#) (q "

+    "#00997BD266EF7B1F60A5C23F3A741F2AEFD07A2081#) (g "

+    "#535E360E8A95EBA46A4F7DE50AD6E9B2A6DB785A66B64EB9F20338D2A3E8FB0E94725848F"

+    "1AA6CC567CB83A1CC517EC806F2E92EAE71457E80B2210A189B91250779434B41FC8A8873F"

+    "6DB94BEA7D177F5D59E7E114EE10A49CFD9CEF88AE43387023B672927BA74B04EB6BBB5E57"

+    "597766A2F9CE3857D7ACE3E1E3BC1FC6F26#) (y "

+    "#0AC8670AD767D7A8D9D14CC1AC6744CD7D76F993B77FFD9E39DF01E5A6536EF65E775FCEF"

+    "2A983E2A19BD6415500F6979715D9FD1257E1FE2B6F5E1E74B333079E7C880D39868462A93"

+    "454B41877BE62E5EF0A041C2EE9C9E76BD1E12AE25D9628DECB097025DD625EF49C3258A1A"

+    "3C0FF501E3DC673B76D7BABF349009B6ECF#) (x "

+    "#14D0345A3562C480A039E3C72764F72D79043216#)))))\n";

+

+int main() {

+  OTRL_INIT;

+

+  // We have to write the private key information to a file because the libotr

+  // API demands a filename to read from.

+  const char *tmpdir = "/tmp";

+  if (getenv("TMP")) {

+    tmpdir = getenv("TMP");

+  }

+

+  char private_key_file[256];

+  snprintf(private_key_file, sizeof(private_key_file),

+           "%s/libotr_test_helper_privatekeys-XXXXXX", tmpdir);

+  int fd = mkstemp(private_key_file);

+  if (fd == -1) {

+    perror("creating temp file");

+  }

+  write(fd, kPrivateKeyData, sizeof(kPrivateKeyData) - 1);

+  close(fd);

+

+  OtrlUserState userstate = otrl_userstate_create();

+  otrl_privkey_read(userstate, private_key_file);

+  unlink(private_key_file);

+

+  fprintf(stderr, "libotr helper started\n");

+

+  char buf[4096];

+

+  for (;;) {

+    char *message = fgets(buf, sizeof(buf), stdin);

+    if (strlen(message) == 0) {

+      break;

+    }

+    message[strlen(message) - 1] = 0;

+    fprintf(stderr, "libotr helper got: %s\n", message);

+

+    char *newmessage = NULL;

+    OtrlTLV *tlvs;

+    int ignore_message = otrl_message_receiving(

+        userstate, &uiops, NULL, "account", "proto", "peer", message,

+        &newmessage, &tlvs, NULL, NULL, NULL);

+    if (tlvs) {

+      otrl_tlv_free(tlvs);

+    }

+

+    if (newmessage != NULL) {

+      fprintf(stderr, "libotr got: %s\n", newmessage);

+      otrl_message_free(newmessage);

+

+      gcry_error_t err;

+      char *newmessage = NULL;

+

+      err = otrl_message_sending(userstate, &uiops, NULL, "account", "proto",

+                                 "peer", 0, "test message", NULL, &newmessage,

+                                 OTRL_FRAGMENT_SEND_SKIP, NULL, NULL, NULL);

+      if (newmessage == NULL) {

+        fprintf(stderr, "libotr didn't encrypt message\n");

+        return 1;

+      }

+      write(1, newmessage, strlen(newmessage));

+      write(1, "\n", 1);

+      fprintf(stderr, "libotr sent: %s\n", newmessage);

+      otrl_message_free(newmessage);

+

+      g_session_established = 0;

+      write(1, "?OTRv2?\n", 8);

+      fprintf(stderr, "libotr sent: ?OTRv2\n");

+    }

+  }

+

+  return 0;

+}

new file mode 100644

@@ -0,0 +1,1415 @@

+// Copyright 2012 The Go Authors. All rights reserved.

+// Use of this source code is governed by a BSD-style

+// license that can be found in the LICENSE file.

+

+// Package otr implements the Off The Record protocol as specified in

+// http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html

+package otr // import "golang.org/x/crypto/otr"

+

+import (

+	"bytes"

+	"crypto/aes"

+	"crypto/cipher"

+	"crypto/dsa"

+	"crypto/hmac"

+	"crypto/rand"

+	"crypto/sha1"

+	"crypto/sha256"

+	"crypto/subtle"

+	"encoding/base64"

+	"encoding/hex"

+	"errors"

+	"hash"

+	"io"

+	"math/big"

+	"strconv"

+)

+

+// SecurityChange describes a change in the security state of a Conversation.

+type SecurityChange int

+

+const (

+	NoChange SecurityChange = iota

+	// NewKeys indicates that a key exchange has completed. This occurs

+	// when a conversation first becomes encrypted, and when the keys are

+	// renegotiated within an encrypted conversation.

+	NewKeys

+	// SMPSecretNeeded indicates that the peer has started an

+	// authentication and that we need to supply a secret. Call SMPQuestion

+	// to get the optional, human readable challenge and then Authenticate

+	// to supply the matching secret.

+	SMPSecretNeeded

+	// SMPComplete indicates that an authentication completed. The identity

+	// of the peer has now been confirmed.

+	SMPComplete

+	// SMPFailed indicates that an authentication failed.

+	SMPFailed

+	// ConversationEnded indicates that the peer ended the secure

+	// conversation.

+	ConversationEnded

+)

+

+// QueryMessage can be sent to a peer to start an OTR conversation.

+var QueryMessage = "?OTRv2?"

+

+// ErrorPrefix can be used to make an OTR error by appending an error message

+// to it.

+var ErrorPrefix = "?OTR Error:"

+

+var (

+	fragmentPartSeparator = []byte(",")

+	fragmentPrefix        = []byte("?OTR,")

+	msgPrefix             = []byte("?OTR:")

+	queryMarker           = []byte("?OTR")

+)

+

+// isQuery attempts to parse an OTR query from msg and returns the greatest

+// common version, or 0 if msg is not an OTR query.

+func isQuery(msg []byte) (greatestCommonVersion int) {

+	pos := bytes.Index(msg, queryMarker)

+	if pos == -1 {

+		return 0

+	}

+	for i, c := range msg[pos+len(queryMarker):] {

+		if i == 0 {

+			if c == '?' {

+				// Indicates support for version 1, but we don't

+				// implement that.

+				continue

+			}

+

+			if c != 'v' {

+				// Invalid message

+				return 0

+			}

+

+			continue

+		}

+

+		if c == '?' {

+			// End of message

+			return

+		}

+

+		if c == ' ' || c == '\t' {

+			// Probably an invalid message

+			return 0

+		}

+

+		if c == '2' {

+			greatestCommonVersion = 2

+		}

+	}

+

+	return 0

+}

+

+const (

+	statePlaintext = iota

+	stateEncrypted

+	stateFinished

+)

+

+const (

+	authStateNone = iota

+	authStateAwaitingDHKey

+	authStateAwaitingRevealSig

+	authStateAwaitingSig

+)

+

+const (

+	msgTypeDHCommit  = 2

+	msgTypeData      = 3

+	msgTypeDHKey     = 10

+	msgTypeRevealSig = 17

+	msgTypeSig       = 18

+)

+

+const (

+	// If the requested fragment size is less than this, it will be ignored.

+	minFragmentSize = 18

+	// Messages are padded to a multiple of this number of bytes.

+	paddingGranularity = 256

+	// The number of bytes in a Diffie-Hellman private value (320-bits).

+	dhPrivateBytes = 40

+	// The number of bytes needed to represent an element of the DSA

+	// subgroup (160-bits).

+	dsaSubgroupBytes = 20

+	// The number of bytes of the MAC that are sent on the wire (160-bits).

+	macPrefixBytes = 20

+)

+

+// These are the global, common group parameters for OTR.

+var (

+	p       *big.Int // group prime

+	g       *big.Int // group generator

+	q       *big.Int // group order

+	pMinus2 *big.Int

+)

+

+func init() {

+	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", 16)

+	q, _ = new(big.Int).SetString("7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68948127044533E63A0105DF531D89CD9128A5043CC71A026EF7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9EE1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AFC1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF", 16)

+	g = new(big.Int).SetInt64(2)

+	pMinus2 = new(big.Int).Sub(p, g)

+}

+

+// Conversation represents a relation with a peer. The zero value is a valid

+// Conversation, although PrivateKey must be set.

+//

+// When communicating with a peer, all inbound messages should be passed to

+// Conversation.Receive and all outbound messages to Conversation.Send. The

+// Conversation will take care of maintaining the encryption state and

+// negotiating encryption as needed.

+type Conversation struct {

+	// PrivateKey contains the private key to use to sign key exchanges.

+	PrivateKey *PrivateKey

+

+	// Rand can be set to override the entropy source. Otherwise,

+	// crypto/rand will be used.

+	Rand io.Reader

+	// If FragmentSize is set, all messages produced by Receive and Send

+	// will be fragmented into messages of, at most, this number of bytes.

+	FragmentSize int

+

+	// Once Receive has returned NewKeys once, the following fields are

+	// valid.

+	SSID           [8]byte

+	TheirPublicKey PublicKey

+

+	state, authState int

+

+	r       [16]byte

+	x, y    *big.Int

+	gx, gy  *big.Int

+	gxBytes []byte

+	digest  [sha256.Size]byte

+

+	revealKeys, sigKeys akeKeys

+

+	myKeyId         uint32

+	myCurrentDHPub  *big.Int

+	myCurrentDHPriv *big.Int

+	myLastDHPub     *big.Int

+	myLastDHPriv    *big.Int

+

+	theirKeyId        uint32

+	theirCurrentDHPub *big.Int

+	theirLastDHPub    *big.Int

+

+	keySlots [4]keySlot

+

+	myCounter    [8]byte

+	theirLastCtr [8]byte

+	oldMACs      []byte

+

+	k, n int // fragment state

+	frag []byte

+

+	smp smpState

+}

+

+// A keySlot contains key material for a specific (their keyid, my keyid) pair.

+type keySlot struct {

+	// used is true if this slot is valid. If false, it's free for reuse.

+	used                   bool

+	theirKeyId             uint32

+	myKeyId                uint32

+	sendAESKey, recvAESKey []byte

+	sendMACKey, recvMACKey []byte

+	theirLastCtr           [8]byte

+}

+

+// akeKeys are generated during key exchange. There's one set for the reveal

+// signature message and another for the signature message. In the protocol

+// spec the latter are indicated with a prime mark.

+type akeKeys struct {

+	c      [16]byte

+	m1, m2 [32]byte

+}

+

+func (c *Conversation) rand() io.Reader {

+	if c.Rand != nil {

+		return c.Rand

+	}

+	return rand.Reader

+}

+

+func (c *Conversation) randMPI(buf []byte) *big.Int {

+	_, err := io.ReadFull(c.rand(), buf)

+	if err != nil {

+		panic("otr: short read from random source")

+	}

+

+	return new(big.Int).SetBytes(buf)

+}

+

+// tlv represents the type-length value from the protocol.

+type tlv struct {

+	typ, length uint16

+	data        []byte

+}

+

+const (

+	tlvTypePadding          = 0

+	tlvTypeDisconnected     = 1

+	tlvTypeSMP1             = 2

+	tlvTypeSMP2             = 3

+	tlvTypeSMP3             = 4

+	tlvTypeSMP4             = 5

+	tlvTypeSMPAbort         = 6

+	tlvTypeSMP1WithQuestion = 7

+)

+

+// Receive handles a message from a peer. It returns a human readable message,

+// an indicator of whether that message was encrypted, a hint about the

+// encryption state and zero or more messages to send back to the peer.

+// These messages do not need to be passed to Send before transmission.

+func (c *Conversation) Receive(in []byte) (out []byte, encrypted bool, change SecurityChange, toSend [][]byte, err error) {

+	if bytes.HasPrefix(in, fragmentPrefix) {

+		in, err = c.processFragment(in)

+		if in == nil || err != nil {

+			return

+		}

+	}

+

+	if bytes.HasPrefix(in, msgPrefix) && in[len(in)-1] == '.' {

+		in = in[len(msgPrefix) : len(in)-1]

+	} else if version := isQuery(in); version > 0 {

+		c.authState = authStateAwaitingDHKey

+		c.reset()

+		toSend = c.encode(c.generateDHCommit())

+		return

+	} else {

+		// plaintext message

+		out = in

+		return

+	}

+

+	msg := make([]byte, base64.StdEncoding.DecodedLen(len(in)))

+	msgLen, err := base64.StdEncoding.Decode(msg, in)

+	if err != nil {

+		err = errors.New("otr: invalid base64 encoding in message")

+		return

+	}

+	msg = msg[:msgLen]

+

+	// The first two bytes are the protocol version (2)

+	if len(msg) < 3 || msg[0] != 0 || msg[1] != 2 {

+		err = errors.New("otr: invalid OTR message")

+		return

+	}

+

+	msgType := int(msg[2])

+	msg = msg[3:]

+

+	switch msgType {

+	case msgTypeDHCommit:

+		switch c.authState {

+		case authStateNone:

+			c.authState = authStateAwaitingRevealSig

+			if err = c.processDHCommit(msg); err != nil {

+				return

+			}

+			c.reset()

+			toSend = c.encode(c.generateDHKey())

+			return

+		case authStateAwaitingDHKey:

+			// This is a 'SYN-crossing'. The greater digest wins.

+			var cmp int

+			if cmp, err = c.compareToDHCommit(msg); err != nil {

+				return

+			}

+			if cmp > 0 {

+				// We win. Retransmit DH commit.

+				toSend = c.encode(c.serializeDHCommit())

+				return

+			} else {

+				// They win. We forget about our DH commit.

+				c.authState = authStateAwaitingRevealSig

+				if err = c.processDHCommit(msg); err != nil {

+					return

+				}

+				c.reset()

+				toSend = c.encode(c.generateDHKey())

+				return

+			}

+		case authStateAwaitingRevealSig:

+			if err = c.processDHCommit(msg); err != nil {

+				return

+			}

+			toSend = c.encode(c.serializeDHKey())

+		case authStateAwaitingSig:

+			if err = c.processDHCommit(msg); err != nil {

+				return

+			}

+			c.reset()

+			toSend = c.encode(c.generateDHKey())

+			c.authState = authStateAwaitingRevealSig

+		default:

+			panic("bad state")

+		}

+	case msgTypeDHKey:

+		switch c.authState {

+		case authStateAwaitingDHKey:

+			var isSame bool

+			if isSame, err = c.processDHKey(msg); err != nil {

+				return

+			}

+			if isSame {

+				err = errors.New("otr: unexpected duplicate DH key")

+				return

+			}

+			toSend = c.encode(c.generateRevealSig())

+			c.authState = authStateAwaitingSig

+		case authStateAwaitingSig:

+			var isSame bool

+			if isSame, err = c.processDHKey(msg); err != nil {

+				return

+			}

+			if isSame {

+				toSend = c.encode(c.serializeDHKey())

+			}

+		}

+	case msgTypeRevealSig:

+		if c.authState != authStateAwaitingRevealSig {

+			return

+		}

+		if err = c.processRevealSig(msg); err != nil {

+			return

+		}

+		toSend = c.encode(c.generateSig())

+		c.authState = authStateNone

+		c.state = stateEncrypted

+		change = NewKeys

+	case msgTypeSig:

+		if c.authState != authStateAwaitingSig {

+			return

+		}

+		if err = c.processSig(msg); err != nil {

+			return

+		}

+		c.authState = authStateNone

+		c.state = stateEncrypted

+		change = NewKeys

+	case msgTypeData:

+		if c.state != stateEncrypted {

+			err = errors.New("otr: encrypted message received without encrypted session established")

+			return

+		}

+		var tlvs []tlv

+		out, tlvs, err = c.processData(msg)

+		encrypted = true

+

+	EachTLV:

+		for _, inTLV := range tlvs {

+			switch inTLV.typ {

+			case tlvTypeDisconnected:

+				change = ConversationEnded

+				c.state = stateFinished

+				break EachTLV

+			case tlvTypeSMP1, tlvTypeSMP2, tlvTypeSMP3, tlvTypeSMP4, tlvTypeSMPAbort, tlvTypeSMP1WithQuestion:

+				var reply tlv

+				var complete bool

+				reply, complete, err = c.processSMP(inTLV)

+				if err == smpSecretMissingError {

+					err = nil

+					change = SMPSecretNeeded

+					c.smp.saved = &inTLV

+					return

+				}

+				if err == smpFailureError {

+					err = nil

+					change = SMPFailed

+				} else if complete {

+					change = SMPComplete

+				}

+				if reply.typ != 0 {

+					toSend = c.encode(c.generateData(nil, &reply))

+				}

+				break EachTLV

+			default:

+				// skip unknown TLVs

+			}

+		}

+	default:

+		err = errors.New("otr: unknown message type " + strconv.Itoa(msgType))

+	}

+

+	return

+}

+

+// Send takes a human readable message from the local user, possibly encrypts

+// it and returns zero one or more messages to send to the peer.

+func (c *Conversation) Send(msg []byte) ([][]byte, error) {

+	switch c.state {

+	case statePlaintext:

+		return [][]byte{msg}, nil

+	case stateEncrypted:

+		return c.encode(c.generateData(msg, nil)), nil

+	case stateFinished:

+		return nil, errors.New("otr: cannot send message because secure conversation has finished")

+	}

+

+	return nil, errors.New("otr: cannot send message in current state")

+}

+

+// SMPQuestion returns the human readable challenge question from the peer.

+// It's only valid after Receive has returned SMPSecretNeeded.

+func (c *Conversation) SMPQuestion() string {

+	return c.smp.question

+}

+

+// Authenticate begins an authentication with the peer. Authentication involves

+// an optional challenge message and a shared secret. The authentication

+// proceeds until either Receive returns SMPComplete, SMPSecretNeeded (which

+// indicates that a new authentication is happening and thus this one was

+// aborted) or SMPFailed.

+func (c *Conversation) Authenticate(question string, mutualSecret []byte) (toSend [][]byte, err error) {

+	if c.state != stateEncrypted {

+		err = errors.New("otr: can't authenticate a peer without a secure conversation established")

+		return

+	}

+

+	if c.smp.saved != nil {

+		c.calcSMPSecret(mutualSecret, false /* they started it */)

+

+		var out tlv

+		var complete bool

+		out, complete, err = c.processSMP(*c.smp.saved)

+		if complete {

+			panic("SMP completed on the first message")

+		}

+		c.smp.saved = nil

+		if out.typ != 0 {

+			toSend = c.encode(c.generateData(nil, &out))

+		}

+		return

+	}

+

+	c.calcSMPSecret(mutualSecret, true /* we started it */)

+	outs := c.startSMP(question)

+	for _, out := range outs {

+		toSend = append(toSend, c.encode(c.generateData(nil, &out))...)

+	}

+	return

+}

+

+// End ends a secure conversation by generating a termination message for

+// the peer and switches to unencrypted communication.

+func (c *Conversation) End() (toSend [][]byte) {

+	switch c.state {

+	case statePlaintext:

+		return nil

+	case stateEncrypted:

+		c.state = statePlaintext

+		return c.encode(c.generateData(nil, &tlv{typ: tlvTypeDisconnected}))

+	case stateFinished:

+		c.state = statePlaintext

+		return nil

+	}

+	panic("unreachable")

+}

+

+// IsEncrypted returns true if a message passed to Send would be encrypted

+// before transmission. This result remains valid until the next call to

+// Receive or End, which may change the state of the Conversation.

+func (c *Conversation) IsEncrypted() bool {

+	return c.state == stateEncrypted

+}

+

+var fragmentError = errors.New("otr: invalid OTR fragment")

+

+// processFragment processes a fragmented OTR message and possibly returns a

+// complete message. Fragmented messages look like "?OTR,k,n,msg," where k is

+// the fragment number (starting from 1), n is the number of fragments in this

+// message and msg is a substring of the base64 encoded message.

+func (c *Conversation) processFragment(in []byte) (out []byte, err error) {

+	in = in[len(fragmentPrefix):] // remove "?OTR,"

+	parts := bytes.Split(in, fragmentPartSeparator)

+	if len(parts) != 4 || len(parts[3]) != 0 {

+		return nil, fragmentError

+	}

+

+	k, err := strconv.Atoi(string(parts[0]))

+	if err != nil {

+		return nil, fragmentError

+	}

+

+	n, err := strconv.Atoi(string(parts[1]))

+	if err != nil {

+		return nil, fragmentError

+	}

+

+	if k < 1 || n < 1 || k > n {

+		return nil, fragmentError

+	}

+

+	if k == 1 {

+		c.frag = append(c.frag[:0], parts[2]...)

+		c.k, c.n = k, n

+	} else if n == c.n && k == c.k+1 {

+		c.frag = append(c.frag, parts[2]...)

+		c.k++

+	} else {

+		c.frag = c.frag[:0]

+		c.n, c.k = 0, 0

+	}

+

+	if c.n > 0 && c.k == c.n {

+		c.n, c.k = 0, 0

+		return c.frag, nil

+	}

+

+	return nil, nil

+}

+

+func (c *Conversation) generateDHCommit() []byte {

+	_, err := io.ReadFull(c.rand(), c.r[:])

+	if err != nil {

+		panic("otr: short read from random source")

+	}

+

+	var xBytes [dhPrivateBytes]byte

+	c.x = c.randMPI(xBytes[:])

+	c.gx = new(big.Int).Exp(g, c.x, p)

+	c.gy = nil

+	c.gxBytes = appendMPI(nil, c.gx)

+

+	h := sha256.New()

+	h.Write(c.gxBytes)

+	h.Sum(c.digest[:0])

+

+	aesCipher, err := aes.NewCipher(c.r[:])

+	if err != nil {

+		panic(err.Error())

+	}

+

+	var iv [aes.BlockSize]byte

+	ctr := cipher.NewCTR(aesCipher, iv[:])

+	ctr.XORKeyStream(c.gxBytes, c.gxBytes)

+

+	return c.serializeDHCommit()

+}

+

+func (c *Conversation) serializeDHCommit() []byte {

+	var ret []byte

+	ret = appendU16(ret, 2) // protocol version

+	ret = append(ret, msgTypeDHCommit)

+	ret = appendData(ret, c.gxBytes)

+	ret = appendData(ret, c.digest[:])

+	return ret

+}

+

+func (c *Conversation) processDHCommit(in []byte) error {

+	var ok1, ok2 bool

+	c.gxBytes, in, ok1 = getData(in)

+	digest, in, ok2 := getData(in)

+	if !ok1 || !ok2 || len(in) > 0 {

+		return errors.New("otr: corrupt DH commit message")

+	}

+	copy(c.digest[:], digest)

+	return nil

+}

+

+func (c *Conversation) compareToDHCommit(in []byte) (int, error) {

+	_, in, ok1 := getData(in)

+	digest, in, ok2 := getData(in)

+	if !ok1 || !ok2 || len(in) > 0 {

+		return 0, errors.New("otr: corrupt DH commit message")

+	}

+	return bytes.Compare(c.digest[:], digest), nil

+}

+

+func (c *Conversation) generateDHKey() []byte {

+	var yBytes [dhPrivateBytes]byte

+	c.y = c.randMPI(yBytes[:])

+	c.gy = new(big.Int).Exp(g, c.y, p)

+	return c.serializeDHKey()

+}

+

+func (c *Conversation) serializeDHKey() []byte {

+	var ret []byte

+	ret = appendU16(ret, 2) // protocol version

+	ret = append(ret, msgTypeDHKey)

+	ret = appendMPI(ret, c.gy)

+	return ret

+}

+

+func (c *Conversation) processDHKey(in []byte) (isSame bool, err error) {

+	gy, in, ok := getMPI(in)

+	if !ok {

+		err = errors.New("otr: corrupt DH key message")

+		return

+	}

+	if gy.Cmp(g) < 0 || gy.Cmp(pMinus2) > 0 {

+		err = errors.New("otr: DH value out of range")

+		return

+	}

+	if c.gy != nil {

+		isSame = c.gy.Cmp(gy) == 0