tingping / hexchat-otr Goto Github PK

View Code? Open in Web Editor NEW

This project forked from adhux/hexchat-otr

32.0 9.0 9.0 112 KB

Off the record plugin for HexChat

License: GNU General Public License v2.0

C 88.86% Python 5.64% Meson 5.50%

hexchat otr

hexchat-otr's Introduction

HexChat OTR

Adds off-the-record (OTR) support to HexChat.

Originally forked from irssi-otr and still a work in progress.

Installation

Dependencies

glib
gcrypt
libotr4
hexchat
meson

User install

meson builddir -Dlocal_install=true
ninja -C builddir install

System install

meson builddir
ninja -C builddir
sudo ninja -C builddir install

Usage

Start a session with a user:
```
/query nick
/otr start
```
If this is your first time it may take a while to generate a key.
Authenticate this user:

At this point you need to verify this is the person you think it is.
- If you know their fingerprint and it is correct:
```
 /otr trust
```
- If you have previously agreed on a shared secret:
```
 /otr auth <shared secret>
```
- If you have neither of these:
```
 /otr authq <question> <answer>
```
Start chatting:

Everything should be secure at this point. When you are done:
```
/otr finish
```

hexchat-otr's People

Contributors

Stargazers

Watchers

Forkers

torontocrypto jobava-hexchat zeriam petterreinholdtsen thelifeofjay fridim lucas-developer notmike-5 devnull-hub-lab

hexchat-otr's Issues

hexchat-otr ready for Debian?

Hi. I just discovered this plugin, and tested it in Debian. It seem to be working, but the open issue (IRC server name used when creating key) make me unsure if it is ready for a wider audience. Do you believe it is ready to become part of Debian?

Are there other hexchat plugins for OTR available? I found some github repos, but they all have different maturity levels.

authq works unexpectedly in a private dialog

/otr authq "Question?" answer in a private dialog with the recipient results into revealing the answer on the other end.

/otr auth user "Question?" answer works fine.

OTR: couldn't find context also OTR changed the outgoing message(BUG?)

I get this message while chatting via a non-otr query.
On the same time i've a otr-session running with a second person - but there i see also some ?OTR? entries during the encrypted conversation.

Null pointer dereference in otr_ops.c

There's an intermittent crash I've been having with this project. In short, it's possible that ops_secure in otr_ops.c is called with coi defined on line 133 as NULL. Please see my attached backtrace and let me know if there's anything else I can give you to help.

(gdb) thread apply all bt

Thread 3 (Thread 0x7fb3c53bc700 (LWP 62268)):
#0  0x00007fb3c8720aff in __GI___poll (fds=0x55562c692210, nfds=2, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00007fb3c931936e in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007fb3c93196f3 in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007fb3c956ef8a in  () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#4  0x00007fb3c9342ad1 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007fb3c8806609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#6  0x00007fb3c872d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 2 (Thread 0x7fb3c5bbd700 (LWP 62267)):
#0  0x00007fb3c8720aff in __GI___poll (fds=0x55562c67a730, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00007fb3c931936e in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007fb3c93194a3 in g_main_context_iteration () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007fb3c93194f1 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007fb3c9342ad1 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007fb3c8806609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#6  0x00007fb3c872d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 1 (Thread 0x7fb3c75b2a80 (LWP 62263)):
#0  0x00007fb3c5c74ded in ops_secure (opdata=0x7fffff685780, context=0x55562ba8ce40) at src/otr_ops.c:137
#1  0x00007fb3c5bc8ca7 in  () at /lib/x86_64-linux-gnu/libotr.so.5
#2  0x00007fb3c5bcec51 in otrl_auth_handle_signature () at /lib/x86_64-linux-gnu/libotr.so.5
#3  0x00007fb3c5bcaf62 in otrl_message_receiving () at /lib/x86_64-linux-gnu/libotr.so.5
#4  0x00007fb3c5c76cf5 in otr_receive (ircctx=0x7fffff685780, msg=0x55562ba44716 "PRIVMSG redcircle :?OTR|1443c377|68d09577,00002,00002,tlIrb/m4px/rNOqw0Xw8I4juyDHSKVohqI7OQD9SW/qaqDkf4GvpGYFIx2j9kCodtOTDRwGnbZIeGRk2/vSS5UhynpI3DSxMTjjNHIkomzwvlPPxJDhmM0ABL8i12zYyxfR+anLXkphR6XimJH"..., from=0x7fffff685790 "xxxx__") at src/otr_util.c:679
#5  0x00007fb3c5c77d8b in hook_privmsg (word=0x7fffff6859c0, word_eol=0x7fffff685ad0, userdata=0x0) at src/hexchat_otr.c:245
#6  0x000055562affb9b3 in plugin_hook_run (sess=0x55562c77aa70, name=0x55562c73bab7 "PRIVMSG", word=0x7fffff6859c0, word_eol=0x7fffff685ad0, attrs=0x7fffff685940, type=6) at ../src/common/plugin.c:569
#7  0x000055562affbba6 in plugin_emit_server (sess=0x55562c77aa70, name=0x55562c73bab7 "PRIVMSG", word=0x7fffff6859c0, word_eol=0x7fffff685ad0, server_time=1626492726) at ../src/common/plugin.c:640
#8  0x000055562b01534b in irc_inline (serv=0x55562ba5c710, buf=0x55562ba446ef ":[email protected] PRIVMSG redcircle :?OTR|1443c377|68d09577,00002,00002,tlIrb/m4px/rNOqw0Xw8I4juyDHSKVohqI7OQD9SW/qaqDkf4GvpGYFIx2j9kCodtOTDRwGnbZIeGRk2/vSS5UhynpI3DSxMTjjNHIkomzw"..., len=436) at ../src/common/proto-irc.c:1578
#9  0x000055562b00098b in server_inline (serv=0x55562ba5c710, line=0x55562ba446d0 "@time=2021-07-17T03:32:06.588Z", len=436) at ../src/common/server.c:291
#10 0x000055562b000c03 in server_read (source=0x55562c64de80, condition=G_IO_IN, serv=0x55562ba5c710) at ../src/common/server.c:355
#11 0x00007fb3c931904e in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#12 0x00007fb3c9319400 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x00007fb3c93196f3 in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#14 0x00007fb3c8fa2092 in gtk_main () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#15 0x000055562af95358 in fe_main () at ../src/fe-gtk/fe-gtk.c:347
#16 0x000055562afe5759 in main (argc=1, argv=0x7fffff686f48) at ../src/common/hexchat.c:1141
(gdb) frame 0
#0  0x00007fb3c5c74ded in ops_secure (opdata=0x7fffff685780, context=0x55562ba8ce40) at src/otr_ops.c:137
137		otr_notice (coi->ircctx,
(gdb) l
132	{
133		struct co_info *coi = context->app_data;
134		char *trust = context->active_fingerprint->trust ?: "";
135		char ownfp[45], peerfp[45];
136	
137		otr_notice (coi->ircctx,
138					context->username, TXT_OPS_SEC);
139		if (*trust != '\0')
140			return;
141	
(gdb) p coi
$1 = (struct co_info *) 0x0

Seeing mostly "OTR: internal error parsing error string (BUG)"

I've tried to build this project on Scientific Linux 7.3 (RHEL 7.3 clone). I had to reduce the pkg-config version from 0.28 to 0.27, that worked without any visible issues. But when loading the plug-in and trying to use it, most of the time I only get this response:

OTR: internal error parsing error string (BUG)

Building against:

$ rpm -q glib glib-devel libgcrypt libgcrypt-devel libotr libotr-devel hexchat hexchat-devel
glib-1.2.10-41.el7.x86_64
glib-devel-1.2.10-41.el7.x86_64
libgcrypt-1.5.3-13.el7_3.1.x86_64
libgcrypt-devel-1.5.3-13.el7_3.1.x86_64
libotr-4.1.1-1.el7.x86_64
libotr-devel-4.1.1-1.el7.x86_64
hexchat-2.10.2-1.el7.x86_64
hexchat-devel-2.10.2-1.el7.x86_64

Otherwise the build environment is:

$ rpm -q gcc glibc pkgconfig
gcc-4.8.5-11.el7.x86_64
glibc-2.17-157.el7_3.1.x86_64
pkgconfig-0.27.1-4.el7.x86_64

The build completes, but there are a few warnings here:

src/hexchat_otr.c:290:6: warning: no previous prototype for 'hexchat_plugin_get_info' [-Wmissing-prototypes]
 void hexchat_plugin_get_info (char **name, char **desc, char **version, void **reserved)
      ^
src/hexchat_otr.c:297:5: warning: no previous prototype for 'hexchat_plugin_init' [-Wmissing-prototypes]
 int hexchat_plugin_init (hexchat_plugin *plugin_handle,
     ^
src/hexchat_otr.c:328:5: warning: no previous prototype for 'hexchat_plugin_deinit' [-Wmissing-prototypes]
 int hexchat_plugin_deinit (void)
     ^

Only giving this a quick look, I have not been able to locate replacement functions for these calls. Which version of hexchat is this plug-in expected to be built against?

Format of otr.key: account name

Is it really necessary that the name of the current irc-server is used in the account name ?
it would be much nicer that the network-name from hexchat would be used.

i do connect to a znc were every user is configured with multiple irc-servers.
in case the bouncer reconnects to another server i need to create a new key pair.

Please add copyright / license statements to the source files.

It would be easier to verify the license of the source code if they contained copyright statements at the top of each source file. Please consider adding such headers to the files in src/.

New release planned?

Hi. Do you plan to make a new release any time soon? I wonder if I should wait for a new release before updating the package in Debian, or just pull individual patches on top of 0.2.0.

crypted conversation not initiated after generating new key with /otr init

When you use /otr init for the first time, it does what we'd expect: generate a new key.

However, once key creation is done and hexchat-otr says the key was completed successfully and loaded, an encrypted communication is not initialized.

A workaround is to use /otr init again but since the status of the otr session is not easy to see, one can very easily think that the conversation is safe right after the first time this command was used.

It would be better if a crypted communication was started right after key generation when using init (not genkey since this command is meant to only generate a key)

It's not verbose enough

It's just not verbose enough for me, I can hardly be certain it's working. Although I have nobody else who has OTR to test it with. Let me know if I need to be more specific.

not encrypted messages are silently dropped

when the client thinks that the query is still encrypted, but the partner in writing in cleartext, the messages are not displayed at all.

./configure --prefix not working

Install location uses /usr/lib/ regardless.

Disable OTR chat logging by default

OTR stands for "Off-The-Record", and by design supports perfect forward secrecy. Logging negates this.

Chelsea Manning was prosecuted using alleged OTR chat logs.

Support building with meson 0.37?

Is it possible to change the default meson build rules to work with version 0.37.1, the one in Debian stable?

I was able to get the build going using the following patch, but I am new to mason and do not know if this is a good approach.

diff --git a/meson.build b/meson.build
index 6eedb05..03235ea 100644
--- a/meson.build
+++ b/meson.build
@@ -1,6 +1,6 @@
 project('hexchat-otr', 'c',
   version: '0.2.2',
-  meson_version: '>= 0.46',
+  meson_version: '>= 0.37',
   default_options: [
     'c_std=gnu99',
     'buildtype=debugoptimized',
@@ -10,7 +10,7 @@ project('hexchat-otr', 'c',
 
 cc = meson.get_compiler('c')
 
-add_project_arguments(cc.get_supported_arguments([
+add_project_arguments([
   '-fvisibility=hidden',
   '-funsigned-char',
   '-fstack-protector-strong',
@@ -28,12 +28,12 @@ add_project_arguments(cc.get_supported_arguments([
   '-Werror=format=2',
   '-Werror=missing-include-dirs',
   '-Werror=date-time',
-]), language: 'c')
+], language: 'c')
 
-add_project_link_arguments(cc.get_supported_link_arguments([
+add_project_link_arguments([
   '-Wl,-z,relro',
   '-Wl,-z,now',
-]), language: 'c')
+], language: 'c')
 
 config = configuration_data()
 config.set_quoted('PACKAGE_VERSION', meson.project_version())

./configure requires autoconf-archive

Need to add some checks.

Change how active OTR is flagged in chats?

Hi.

If I got it right, this plugin indicate that OTR is used by adding stars (*) around the username of the other party in the chat window. While the python OTR plugin available from https://github.com/SpiralP/HexChat-otr indicate active OTR by adding [OTR] in front of the username. I find the [OTR] flag easier to understand than the nick flag. Would it be interesting to change the way active OTR is flagged in this plugin?

Plugin files install to wrong directory on x86_64 system

The make install command installs the plugin files to /usr/local/lib/hexchat/plugins on my x86_64 system, but the correct plugin directory is /usr/lib/x86_64-linux-gnu/hexchat/plugins. This may be resolved by installing the plugin files to ~/.config/hexchat/addons, but consideration of custom config directories may needed.

This message prints when autogen.sh runs:
checking for hexchat's plugin path... not found, assuming ${exec_prefix}/lib/hexchat/plugins.

Address issues found by flawfinder?

Hi. I ran flawfinder on the source code, and it found a few issues. Are you aware of these issues? Some of them seem to be false positives.

$ flawfinder -Q -c .
Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 169
./src/hexchat_otr.c:7:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static char set_policy[512] = IO_DEFAULT_POLICY;
./src/hexchat_otr.c:8:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static char set_policy_known[512] = IO_DEFAULT_POLICY_KNOWN;
./src/hexchat_otr.c:9:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
static char set_ignore[512] = IO_DEFAULT_IGNORE;
./src/hexchat_otr.c:178:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char newmsg[512];
./src/hexchat_otr.c:210:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char nick[256];
./src/hexchat_otr.c:334:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char msg[LOGMAX], *s = msg;
./src/otr.h:157:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char better_msg_two[256]; /* what the second line of the "better"
./src/otr_ops.c:37:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char fullname[1024];
./src/otr_ops.c:135:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char ownfp[45], peerfp[45];
./src/otr_util.c:150:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char accname[256];
./src/otr_util.c:195:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char fp[41];
./src/otr_util.c:237:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
                sprintf (fp + i * 2, "%02x",
./src/otr_util.c:259:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char accname[128];
./src/otr_util.c:325:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char accname[128];
./src/otr_util.c:425:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char accname[128];
./src/otr_util.c:486:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char accname[128];
./src/otr_util.c:525:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char accname[128];
./src/otr_util.c:620:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    char accname[256];
./src/otr_key.c:99:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    read (g_io_channel_unix_get_fd (kg_st.ch[0]), &err, sizeof(err));
./src/otr_util.c:586:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                strlen (secret));
./src/otr_util.c:594:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                strlen (secret));
./src/otr_util.c:602:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
            strlen (secret));
./src/otr_util.c:655:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        if ((strlen (msg) > OTR_MAX_MSG_SIZE) && (msg[strlen (msg) - 1] != '.') && (msg[strlen (msg) - 1] != ','))
./src/otr_util.c:655:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        if ((strlen (msg) > OTR_MAX_MSG_SIZE) && (msg[strlen (msg) - 1] != '.') && (msg[strlen (msg) - 1] != ','))
./src/otr_util.c:655:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        if ((strlen (msg) > OTR_MAX_MSG_SIZE) && (msg[strlen (msg) - 1] != '.') && (msg[strlen (msg) - 1] != ','))
./src/otr_util.c:659:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                   strlen (coi->msgqueue));
./src/otr_util.c:668:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    else if (strstr (msg, "?OTR:") && (strlen (msg) > OTR_MAX_MSG_SIZE) && (msg[strlen (msg) - 1] != '.') && (msg[strlen (msg) - 1] != ','))
./src/otr_util.c:668:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    else if (strstr (msg, "?OTR:") && (strlen (msg) > OTR_MAX_MSG_SIZE) && (msg[strlen (msg) - 1] != '.') && (msg[strlen (msg) - 1] != ','))
./src/otr_util.c:668:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    else if (strstr (msg, "?OTR:") && (strlen (msg) > OTR_MAX_MSG_SIZE) && (msg[strlen (msg) - 1] != '.') && (msg[strlen (msg) - 1] != ','))
./src/otr_util.c:672:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        otr_debug (ircctx, from, TXT_RECEIVE_QUEUED, strlen (msg));
./src/otr_util.c:703:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                   TXT_RECEIVE_IGNORE, strlen (msg), accname, from, msg);

ANALYSIS SUMMARY:

Hits = 31
Lines analyzed = 2337 in approximately 0.04 seconds (59361 lines/second)
Physical Source Lines of Code (SLOC) = 1759
Hits@level = [0]   0 [1]  13 [2]  18 [3]   0 [4]   0 [5]   0
Hits@level+ = [0+]  31 [1+]  31 [2+]  18 [3+]   0 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 17.6236 [1+] 17.6236 [2+] 10.2331 [3+]   0 [4+]   0 [5+]   0
Dot directories skipped = 2 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming for Linux and Unix HOWTO'
(http://www.dwheeler.com/secure-programs) for more information.

Problems with weechat OTR plugin

Hi,
thanks for implementing this plugin.

I've recently tried it and discovered that there are some issues when my contact uses weechat with https://github.com/mmb/weechat-otr plugin. OTR session seems to be establishing successfully. Then we mutually transmit some OTR messages that are readable in both ends. At random points of time I receive raw OTR messages from my contact, i.e messages starting with "?OTR:".

I compiled this plugin in Debian jessie, hexchat 2.10.1-1, libotr5 4.1.0-2, if that helps.

Greetings.

Check status of OTR session from hexchat?

Is there a way to check the status of an OTR session from within hexchat? I would like to know if a session is going to be encrypted and what the fingerprints for the session are. Something like /otr status or similar. No idea what other OTR clients are doing, but perhaps there is some well known /otr command used elsewere that could be implemented?

Missing UI to let users see their own key

There currently doesn't seem to be any interface with this plugin to let users see what their key is.

At the least, it would be great to easily list key fingerprints and show which network it is associated with.

A bonus would be to let users backup/import keys

Finish automatically when client is closed

it happens quite often that hexchat thinks that a query is running encrypted, because i once talked crypted to that person. but weeks after that (and several hexchat-restarts) the counterpart writes plaintext messages and these arent displayed at all, because its not encrypted and are silently dropped.

'init' is missing in the help

In the help of the plugin the 'init'-command is missing.