diff -Naur bitlbee-1.2.3/Makefile bitlbee-otr-1.2.3/Makefile
--- bitlbee-1.2.3/Makefile	Sat Sep  6 12:33:14 2008
+++ bitlbee-otr-1.2.3/Makefile	Sat Feb  7 09:14:28 2009
@@ -9,8 +9,8 @@
 -include Makefile.settings
 
 # Program variables
-objects = account.o bitlbee.o crypting.o help.o ipc.o irc.o irc_commands.o nick.o query.o root_commands.o set.o storage.o $(STORAGE_OBJS) user.o
-headers = account.h bitlbee.h commands.h conf.h config.h crypting.h help.h ipc.h irc.h log.h nick.h query.h set.h sock.h storage.h user.h lib/events.h lib/http_client.h lib/ini.h lib/md5.h lib/misc.h lib/proxy.h lib/sha1.h lib/ssl_client.h lib/url.h protocols/nogaim.h
+objects = account.o bitlbee.o crypting.o help.o ipc.o irc.o irc_commands.o nick.o otr.o query.o root_commands.o set.o storage.o $(STORAGE_OBJS) user.o
+headers = account.h bitlbee.h commands.h conf.h config.h crypting.h help.h ipc.h irc.h log.h nick.h otr.h query.h set.h sock.h storage.h user.h lib/events.h lib/http_client.h lib/ini.h lib/md5.h lib/misc.h lib/proxy.h lib/sha1.h lib/ssl_client.h lib/url.h protocols/nogaim.h
 subdirs = lib protocols
 
 ifeq ($(TARGET),i586-mingw32msvc)
diff -Naur bitlbee-1.2.3/Makefile.settings bitlbee-otr-1.2.3/Makefile.settings
--- bitlbee-1.2.3/Makefile.settings	Thu Jan  1 00:00:00 1970
+++ bitlbee-otr-1.2.3/Makefile.settings	Sun Feb  8 03:47:06 2009
@@ -0,0 +1,36 @@
+## BitlBee settings, generated by configure
+PREFIX=/usr/local/
+BINDIR=/usr/local/sbin/
+ETCDIR=/usr/local/etc/bitlbee/
+MANDIR=/usr/local/share/man/
+DATADIR=/usr/local/share/bitlbee/
+PLUGINDIR=/usr/local/lib/bitlbee/
+CONFIG=/var/lib/bitlbee/
+INCLUDEDIR=/usr/local/include/bitlbee/
+PCDIR=/usr/local/lib/pkgconfig
+
+TARGET=
+ARCH=OpenBSD
+CPU=i386
+
+DESTDIR=
+LFLAGS=
+EFLAGS=
+DEBUG=1
+CFLAGS=-g -DDEBUG
+CFLAGS+=-Ibitlbee-otr/bitlbee-1.2.3-mine -Ibitlbee-otr/bitlbee-1.2.3-mine/lib -Ibitlbee-otr/bitlbee-1.2.3-mine/protocols -I.
+CFLAGS+=-DHAVE_CONFIG_H
+CC=gcc
+LD=ld
+EFLAGS+=-L/usr/local/lib -Wl,-E -lgmodule-2.0 -lglib-2.0 -lintl -liconv
+CFLAGS+=-I/usr/local/include/glib-2.0 -I/usr/local/lib/glib-2.0/include
+EVENT_HANDLER=events_glib.o
+EFLAGS+=-L/usr/local/lib -lgnutls
+CFLAGS+=-I/usr/local/include
+SSL_CLIENT=ssl_gnutls.o
+STORAGE_OBJS= storage_text.o storage_xml.o
+STRIP=\# skip strip
+EFLAGS+=-L/usr/local/lib -lotr
+CFLAGS+=-I/usr/local/include
+PROTOCOLS = msn jabber oscar yahoo 
+PROTOOBJS = msn_mod.o jabber_mod.o oscar_mod.o yahoo_mod.o 
diff -Naur bitlbee-1.2.3/README.OTR bitlbee-otr-1.2.3/README.OTR
--- bitlbee-1.2.3/README.OTR	Thu Jan  1 00:00:00 1970
+++ bitlbee-otr-1.2.3/README.OTR	Mon Feb  9 23:42:21 2009
@@ -0,0 +1 @@
+This is Bitlbee v1.2.3 with Sven Moritz Hallberg's <pesco@khjk.org>  OTR modifications to a previous version of bitlbee merged in.  Original development by Mr. Hallberg was kindly funded by stonedcoder.org.  Merging Mr. Hallberg's changes was done by Jon Striley.  This verion of bitlbee is available at http://www.strileyconsulting.com/projects/bitlbee-otr/.  The original bitlbee-otr is available at http://www.khjk.org/bitlbee-otr/.
diff -Naur bitlbee-1.2.3/bitlbee.h bitlbee-otr-1.2.3/bitlbee.h
--- bitlbee-1.2.3/bitlbee.h	Sun Sep  7 12:07:07 2008
+++ bitlbee-otr-1.2.3/bitlbee.h	Sat Feb  7 09:19:21 2009
@@ -136,6 +136,7 @@
 #include "sock.h"
 #include "misc.h"
 #include "proxy.h"
+#include "otr.h"
 
 typedef struct global {
 	/* In forked mode, child processes store the fd of the IPC socket here. */
@@ -147,6 +148,7 @@
 	GList *storage; /* The first backend in the list will be used for saving */
 	char *helpfile;
 	int restart;
+	OtrlMessageAppOps otr_ops;   /* collects interface functions required by OTR */
 } global_t;
 
 int bitlbee_daemon_init( void );
diff -Naur bitlbee-1.2.3/bitlbee.pc bitlbee-otr-1.2.3/bitlbee.pc
--- bitlbee-1.2.3/bitlbee.pc	Thu Jan  1 00:00:00 1970
+++ bitlbee-otr-1.2.3/bitlbee.pc	Sun Feb  8 03:47:06 2009
@@ -0,0 +1,10 @@
+prefix=/usr/local/
+includedir=/usr/local/include/bitlbee/
+
+Name: bitlbee
+Description: IRC to IM gateway
+Requires: glib-2.0
+Version: 
+Libs:
+Cflags: -I${includedir}
+
diff -Naur bitlbee-1.2.3/config.h bitlbee-otr-1.2.3/config.h
--- bitlbee-1.2.3/config.h	Thu Jan  1 00:00:00 1970
+++ bitlbee-otr-1.2.3/config.h	Sun Feb  8 03:47:06 2009
@@ -0,0 +1,21 @@
+/* BitlBee settings, generated by configure
+   
+   Do *NOT* use any of these defines in your code without thinking twice, most
+   of them can/will be overridden at run-time */
+
+#define CONFIG "/var/lib/bitlbee/"
+#define ETCDIR "/usr/local/etc/bitlbee/"
+#define VARDIR "/usr/local/share/bitlbee/"
+#define PLUGINDIR "/usr/local/lib/bitlbee/"
+#define PIDFILE "/var/run/bitlbee.pid"
+#define IPCSOCKET "/var/run/bitlbee.sock"
+#define ARCH "OpenBSD"
+#define CPU "i386"
+#define EVENTS_GLIB
+#undef WITH_LDAP
+#define WITH_PLUGINS
+#define WITH_OTR
+#define WITH_MSN
+#define WITH_JABBER
+#define WITH_OSCAR
+#define WITH_YAHOO
diff -Naur bitlbee-1.2.3/configure bitlbee-otr-1.2.3/configure
--- bitlbee-1.2.3/configure	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/configure	Sat Feb  7 09:27:55 2009
@@ -30,6 +30,7 @@
 strip=1
 gcov=0
 plugins=1
+otr=auto
 
 events=glib
 ldap=0
@@ -70,6 +71,7 @@
 --strip=0/1	Disable/enable binary stripping		$strip
 --gcov=0/1	Disable/enable test coverage reporting	$gcov
 --plugins=0/1	Disable/enable plugins support		$plugins
+--otr=0/1/auto	Disable/enable OTR encryption support	$otr
 
 --events=...	Event handler (glib, libevent)		$events
 --ssl=...	SSL library to use (gnutls, nss, openssl, bogus, auto)
@@ -410,6 +412,28 @@
 	echo '#define WITH_PLUGINS' >> config.h
 fi
 
+otrprefix=""
+for i in / /usr /usr/local; do
+	if [ -f ${i}/lib/libotr.a ]; then
+		otrprefix=${i}
+		break
+	fi
+done
+if [ "$otr" = "auto" ]; then
+	if [ -n "$otrprefix" ]; then
+		otr=1
+	else
+		otr=0
+	fi
+fi
+if [ "$otr" = 1 ]; then
+	echo '#define WITH_OTR' >> config.h
+	echo "EFLAGS+=-L${otrprefix}/lib -lotr" >> Makefile.settings
+	echo "CFLAGS+=-I${otrprefix}/include" >> Makefile.settings
+else
+	echo '#undef WITH_OTR' >> config.h
+fi
+
 echo
 if [ -z "$BITLBEE_VERSION" -a -d .bzr ] && type bzr > /dev/null 2> /dev/null; then
 	nick=`bzr nick`
@@ -533,6 +557,12 @@
 	echo '  Binary stripping enabled.'
 else
 	echo '  Binary stripping disabled.'
+fi
+
+if [ "$otr" = "1" ]; then
+	echo '  Off-the-Record (OTR) Messaging enabled.'
+else
+	echo '  Off-the-Record (OTR) Messaging disabled.'
 fi
 
 echo '  Using event handler: '$events
diff -Naur bitlbee-1.2.3/doc/user-guide/commands.xml bitlbee-otr-1.2.3/doc/user-guide/commands.xml
--- bitlbee-1.2.3/doc/user-guide/commands.xml	Sat Sep  6 12:33:14 2008
+++ bitlbee-otr-1.2.3/doc/user-guide/commands.xml	Sun Feb  8 05:12:29 2009
@@ -240,6 +240,155 @@
 		</description>
 	</bitlbee-command>
 
+	<bitlbee-command name="otr">
+		<short-description>Off-the-Record encryption control</short-description>
+		<syntax>otr &lt;subcommand&gt; [&lt;arguments&gt;]</syntax>
+
+		<description>
+
+			<para>
+				Available subcommands: connect, disconnect, smp, trust, info, keygen, and forget. See <emphasis>help otr &lt;subcommand&gt;</emphasis> for more information.
+			</para>
+
+		</description>
+		
+		<bitlbee-command name="connect">
+			<syntax>otr connect &lt;nick&gt;</syntax>
+			
+			<description>
+			
+				<para>
+					Attempts to establish an encrypted connection with the specified user by sending a magic string.
+				</para>
+				
+			</description>
+		
+		</bitlbee-command>
+		
+		<bitlbee-command name="disconnect">
+			<syntax>otr disconnect &lt;nick&gt;</syntax>
+			
+			<description>
+			
+				<para>
+					Resets the connection with the specified user to cleartext.
+				</para>
+				
+			</description>
+		
+		</bitlbee-command>
+		
+		<bitlbee-command name="smp">
+			<syntax>otr smp &lt;nick&gt; &lt;secret&gt;</syntax>
+			
+			<description>
+			
+				<para>
+					Attempts to authenticate the given user's active fingerprint via the Socialist Millionaires' Protocol.
+				</para>
+				
+				<para>
+					If an SMP challenge has already been received from the given user, responds with the specified secret. Otherwise, a challenge for the secret will be sent. If the protocol succeeds (i.e. both parties gave the same secret), the fingerprint will be trusted.
+				</para>
+				
+			</description>
+		
+		</bitlbee-command>
+		
+		<bitlbee-command name="trust">
+			<syntax>otr trust &lt;nick&gt; &lt;fp1&gt; &lt;fp2&gt; &lt;fp3&gt; &lt;fp4&gt; &lt;fp5&gt;</syntax>
+			
+			<description>
+			
+				<para>
+					Manually affirms trust in the specified fingerprint, given as five blocks of precisely eight (hexadecimal) digits each.
+				</para>
+				
+			</description>
+		
+		</bitlbee-command>
+		
+		<bitlbee-command name="info">
+			<syntax>otr info</syntax>
+			<syntax>otr info &lt;nick&gt;</syntax>
+			
+			<description>
+			
+				<para>
+					Shows information about the OTR state. The first form lists our private keys and current OTR contexts. The second form displays information about the connection with a given user, including the list of their known fingerprints.
+				</para>
+				
+			</description>
+		
+		</bitlbee-command>
+		
+		<bitlbee-command name="keygen">
+			<syntax>otr keygen &lt;account-no&gt;</syntax>
+			
+			<description>
+			
+				<para>
+					Generates a new OTR private key for the given account.
+				</para>
+				
+			</description>
+		
+		</bitlbee-command>
+		
+		<bitlbee-command name="forget">
+			<syntax>otr forget &lt;thing&gt; &lt;arguments&gt;</syntax>
+			
+			<description>
+			
+				<para>
+					Forgets some part of our OTR userstate. Available things: fingerprint, context, and key. See <emphasis>help otr forget &lt;thing&gt;</emphasis> for more information.
+				</para>
+			
+			</description>
+			
+			<bitlbee-command name="fingerprint">
+				<syntax>otr forget fingerprint &lt;nick&gt; &lt;fingerprint&gt;</syntax>
+				
+				<description>
+				
+					<para>
+						Drops the specified fingerprint from the given user's OTR connection context. It is allowed to specify only a (unique) prefix of the desired fingerprint.
+					</para>
+					
+				</description>
+				
+			</bitlbee-command>
+				
+			<bitlbee-command name="context">
+				<syntax>otr forget context &lt;nick&gt;</syntax>
+				
+				<description>
+				
+					<para>
+						Forgets the entire OTR context associated with the given user. This includes current message and protocol states, as well as any fingerprints for that user.
+					</para>
+					
+				</description>
+				
+			</bitlbee-command>
+
+			<bitlbee-command name="key">
+				<syntax>otr forget key &lt;fingerprint&gt;</syntax>
+				
+				<description>
+				
+					<para>
+						Forgets an OTR private key matching the specified fingerprint. It is allowed to specify only a (unique) prefix of the fingerprint.
+					</para>
+					
+				</description>
+				
+			</bitlbee-command>
+		
+		</bitlbee-command>
+		
+	</bitlbee-command>
+
 	<bitlbee-command name="set">
 		<short-description>Miscellaneous settings</short-description>
 		<syntax>set</syntax>
@@ -287,7 +436,7 @@
 			</para>
 		</description>
 	</bitlbee-command>
-
+	
 	<bitlbee-setting name="auto_connect" type="boolean" scope="both">
 		<default>true</default>
 
@@ -396,7 +545,18 @@
 		</description>
 
 	</bitlbee-setting>
+	
+	<bitlbee-setting name="color_encrypted" type="boolean" scope="global">
+		<default>true</default>
 
+		<description>
+			<para>
+				If set to true, BitlBee will color incoming encrypted messages according to their fingerprint trust level: untrusted=red, trusted=green.
+			</para>
+		</description>
+
+	</bitlbee-setting>
+
 	<bitlbee-setting name="debug" type="boolean" scope="global">
 		<default>false</default>
 
@@ -436,6 +596,22 @@
 		</description>
 	</bitlbee-setting>
 
+	<bitlbee-setting name="halfop_buddies" type="string" scope="global">
+		<default>encrypted</default>
+		<possible-values>encrypted, trusted, notaway, false</possible-values>
+
+		<description>
+			<para>
+				Specifies under which circumstances BitlBee should give the "halfop" mode flag (+h) to buddies.
+			</para>
+			
+			<para>
+				If "false", the flag is never set. On "notaway", the flag is removed for users marked as "away" and set for all others. On "encrypted", the flag is set for users with whom we have an encrypted connection. On "trusted", it is set only for encrypted connections using a trusted key.
+			</para>
+		</description>
+
+	</bitlbee-setting>
+
 	<bitlbee-setting name="handle_unknown" type="string" scope="global">
 		<default>root</default>
 		<possible-values>root, add, add_private, add_channel, ignore</possible-values>
@@ -485,6 +661,36 @@
 
 	</bitlbee-setting>
 
+	<bitlbee-setting name="otr_policy" type="string" scope="global">
+		<default>opportunistic</default>
+		<possible-values>never, opportunistic, manual, always</possible-values>
+
+		<description>
+			<para>
+				This setting controls the policy for establishing Off-the-Record connections.
+			</para>
+			<para>
+				A value of "never" effectively disables the OTR subsystem. In "opportunistic" mode, a magic whitespace pattern will be appended to the first message sent to any user. If the peer is also running opportunistic OTR, an encrypted connection will be set up automatically. On "manual", on the other hand, OTR connections must be established explicitly using <emphasis>otr connect</emphasis>. Finally, the setting "always" enforces encrypted communication by causing BitlBee to refuse to send any cleartext messages at all.
+			</para>
+		</description>
+	</bitlbee-setting>
+
+	<bitlbee-setting name="op_buddies" type="string" scope="global">
+		<default>trusted</default>
+		<possible-values>encrypted, trusted, notaway, false</possible-values>
+
+		<description>
+			<para>
+				Specifies under which circumstances BitlBee should give the "op" mode flag (+o) to buddies.
+			</para>
+			
+			<para>
+				If "false", the flag is never set. On "notaway", the flag is removed for users marked as "away" and set for all others. On "encrypted", the flag is set for users with whom we have an encrypted connection. On "trusted", it is set only for encrypted connections using a trusted key.
+			</para>
+		</description>
+
+	</bitlbee-setting>
+
 	<bitlbee-setting name="ops" type="string" scope="global">
 		<default>both</default>
 		<possible-values>both, root, user, none</possible-values>
@@ -690,6 +896,23 @@
 			</para>
 		</description>
 	</bitlbee-setting>
+	
+	<bitlbee-setting name="voice_buddies" type="string" scope="global">
+		<default>trusted</default>
+		<possible-values>encrypted, trusted, notaway, false</possible-values>
+
+		<description>
+			<para>
+				Specifies under which circumstances BitlBee should give the "voice" mode flag (+v) to buddies.
+			</para>
+			
+			<para>
+				If "false", the flag is never set. On "notaway", the flag is removed for users marked as "away" and set for all others. On "encrypted", the flag is set for users with whom we have an encrypted connection. On "trusted", it is set only for encrypted connections using a trusted key.
+			</para>
+		</description>
+
+	</bitlbee-setting>
+
 
 	<bitlbee-setting name="web_aware" type="string" scope="account">
 		<default>false</default>
diff -Naur bitlbee-1.2.3/doc/user-guide/help.txt bitlbee-otr-1.2.3/doc/user-guide/help.txt
--- bitlbee-1.2.3/doc/user-guide/help.txt	Sat Sep  6 13:15:00 2008
+++ bitlbee-otr-1.2.3/doc/user-guide/help.txt	Sun Feb  8 05:13:58 2009
@@ -108,6 +108,7 @@
  * remove - Remove a buddy from your contact list
  * block - Block someone
  * allow - Unblock someone
+ * otr - Off-the-Record encryption control
  * set - Miscellaneous settings
  * help - BitlBee help system
  * save - Save your account data
@@ -244,6 +245,64 @@
 
 When called with only a connection specification as an argument, the command displays the current allow list for that connection.
 %
+?otr
+Syntax: otr <subcommand> [<arguments>]
+
+Available subcommands: connect, disconnect, smp, trust, info, keygen, and forget. See help otr <subcommand> for more information.
+%
+?otr connect
+Syntax: otr connect <nick>
+
+Attempts to establish an encrypted connection with the specified user by sending a magic string.
+%
+?otr disconnect
+Syntax: otr disconnect <nick>
+
+Resets the connection with the specified user to cleartext.
+%
+?otr smp
+Syntax: otr smp <nick> <secret>
+
+Attempts to authenticate the given user's active fingerprint via the Socialist Millionaires' Protocol.
+
+If an SMP challenge has already been received from the given user, responds with the specified secret. Otherwise, a challenge for the secret will be sent. If the protocol succeeds (i.e. both parties gave the same secret), the fingerprint will be trusted.
+%
+?otr trust
+Syntax: otr trust <nick> <fp1> <fp2> <fp3> <fp4> <fp5>
+
+Manually affirms trust in the specified fingerprint, given as five blocks of precisely eight (hexadecimal) digits each.
+%
+?otr info
+Syntax: otr info
+Syntax: otr info <nick>
+
+Shows information about the OTR state. The first form lists our private keys and current OTR contexts. The second form displays information about the connection with a given user, including the list of their known fingerprints.
+%
+?otr keygen
+Syntax: otr keygen <account-no>
+
+Generates a new OTR private key for the given account.
+%
+?otr forget
+Syntax: otr forget <thing> <arguments>
+
+Forgets some part of our OTR userstate. Available things: fingerprint, context, and key. See help otr forget <thing> for more information.
+%
+?otr forget fingerprint
+Syntax: otr forget fingerprint <nick> <fingerprint>
+
+Drops the specified fingerprint from the given user's OTR connection context. It is allowed to specify only a (unique) prefix of the desired fingerprint.
+%
+?otr forget context
+Syntax: otr forget context <nick>
+
+Forgets the entire OTR context associated with the given user. This includes current message and protocol states, as well as any fingerprints for that user.
+%
+?otr forget key
+Syntax: otr forget key <fingerprint>
+
+Forgets an OTR private key matching the specified fingerprint. It is allowed to specify only a (unique) prefix of the fingerprint.
+%
 ?set
 Syntax: set
 Syntax: set <variable>
@@ -411,6 +470,13 @@
 
 Most systems use UTF-8 these days. On older systems, an iso8859 charset may work better. For example, iso8859-1 is the best choice for most Western countries. You can try to find what works best for you on http://www.unicodecharacter.com/charsets/iso8859.html
 %
+?set color_encrypted
+Type: boolean
+Scope: global
+Default: true
+
+If set to true, BitlBee will color incoming encrypted messages according to their fingerprint trust level: untrusted=red, trusted=green.
+%
 ?set debug
 Type: boolean
 Scope: global
@@ -439,6 +505,16 @@
 
 With this option enabled, root will inform you when someone in your buddy list changes his/her "friendly name".
 %
+?set halfop_buddies
+Type: string
+Scope: global
+Default: encrypted
+Possible Values: encrypted, trusted, notaway, false
+
+Specifies under which circumstances BitlBee should give the "halfop" mode flag (+h) to buddies.
+
+If "false", the flag is never set. On "notaway", the flag is removed for users marked as "away" and set for all others. On "encrypted", the flag is set for users with whom we have an encrypted connection. On "trusted", it is set only for encrypted connections using a trusted key.
+%
 ?set handle_unknown
 Type: string
 Scope: global
@@ -468,6 +544,26 @@
 
 Some protocols (MSN, Yahoo!) can notify via IM about new e-mail. Since most people use their Hotmail/Yahoo! addresses as a spam-box, this is disabled default. If you want these notifications, you can enable this setting.
 %
+?set otr_policy
+Type: string
+Scope: global
+Default: opportunistic
+Possible Values: never, opportunistic, manual, always
+
+This setting controls the policy for establishing Off-the-Record connections.
+
+A value of "never" effectively disables the OTR subsystem. In "opportunistic" mode, a magic whitespace pattern will be appended to the first message sent to any user. If the peer is also running opportunistic OTR, an encrypted connection will be set up automatically. On "manual", on the other hand, OTR connections must be established explicitly using otr connect. Finally, the setting "always" enforces encrypted communication by causing BitlBee to refuse to send any cleartext messages at all.
+%
+?set op_buddies
+Type: string
+Scope: global
+Default: trusted
+Possible Values: encrypted, trusted, notaway, false
+
+Specifies under which circumstances BitlBee should give the "op" mode flag (+o) to buddies.
+
+If "false", the flag is never set. On "notaway", the flag is removed for users marked as "away" and set for all others. On "encrypted", the flag is set for users with whom we have an encrypted connection. On "trusted", it is set only for encrypted connections using a trusted key.
+%
 ?set ops
 Type: string
 Scope: global
@@ -606,6 +702,16 @@
 Default: false
 
 Sends you a /notice when a user starts typing a message (if supported by the IM protocol and the user's client). To use this, you most likely want to use a script in your IRC client to show this information in a more sensible way.
+%
+?set voice_buddies
+Type: string
+Scope: global
+Default: trusted
+Possible Values: encrypted, trusted, notaway, false
+
+Specifies under which circumstances BitlBee should give the "voice" mode flag (+v) to buddies.
+
+If "false", the flag is never set. On "notaway", the flag is removed for users marked as "away" and set for all others. On "encrypted", the flag is set for users with whom we have an encrypted connection. On "trusted", it is set only for encrypted connections using a trusted key.
 %
 ?set web_aware
 Type: string
diff -Naur bitlbee-1.2.3/irc.c bitlbee-otr-1.2.3/irc.c
--- bitlbee-1.2.3/irc.c	Sat Sep  6 15:17:52 2008
+++ bitlbee-otr-1.2.3/irc.c	Sun Feb  8 05:32:11 2009
@@ -149,12 +149,16 @@
 	s = set_add( &irc->set, "buddy_sendbuffer", "false", set_eval_bool, irc );
 	s = set_add( &irc->set, "buddy_sendbuffer_delay", "200", set_eval_int, irc );
 	s = set_add( &irc->set, "charset", "utf-8", set_eval_charset, irc );
+	s = set_add( &irc->set, "color_encrypted", "true", set_eval_bool, irc );
 	s = set_add( &irc->set, "debug", "false", set_eval_bool, irc );
 	s = set_add( &irc->set, "default_target", "root", NULL, irc );
 	s = set_add( &irc->set, "display_namechanges", "false", set_eval_bool, irc );
 	s = set_add( &irc->set, "handle_unknown", "root", NULL, irc );
+	s = set_add( &irc->set, "halfop_buddies", "encrypted", set_eval_halfop_buddies, irc );
 	s = set_add( &irc->set, "lcnicks", "true", set_eval_bool, irc );
+	s = set_add( &irc->set, "op_buddies", "trusted", set_eval_op_buddies, irc );
 	s = set_add( &irc->set, "ops", "both", set_eval_ops, irc );
+	s = set_add( &irc->set, "otr_policy", "opportunistic", set_eval_otr_policy, irc );
 	s = set_add( &irc->set, "password", NULL, set_eval_password, irc );
 	s->flags |= SET_NULL_OK;
 	s = set_add( &irc->set, "private", "true", set_eval_bool, irc );
@@ -165,9 +169,12 @@
 	s = set_add( &irc->set, "strip_html", "true", NULL, irc );
 	s = set_add( &irc->set, "to_char", ": ", set_eval_to_char, irc );
 	s = set_add( &irc->set, "typing_notice", "false", set_eval_bool, irc );
-	
+	s = set_add( &irc->set, "voice_buddies", "notaway",  set_eval_voice_buddies, irc );
+
 	conf_loaddefaults( irc );
 	
+	irc->otr = otr_new();
+	
 	/* Evaluator sets the iconv/oconv structures. */
 	set_eval_charset( set_find( &irc->set, "charset" ), set_getstr( &irc->set, "charset" ) );
 	
@@ -320,6 +327,8 @@
 	
 	g_free( irc->last_target );
 	
+	otr_free(irc->otr);
+
 	g_free( irc );
 	
 	if( global.conf->runmode == RUNMODE_INETD ||
diff -Naur bitlbee-1.2.3/irc.h bitlbee-otr-1.2.3/irc.h
--- bitlbee-1.2.3/irc.h	Sat Sep  6 12:33:14 2008
+++ bitlbee-otr-1.2.3/irc.h	Sun Feb  8 03:19:32 2009
@@ -26,6 +26,8 @@
 #ifndef _IRC_H
 #define _IRC_H
 
+#include "otr.h"
+
 #define IRC_MAX_LINE 512
 #define IRC_MAX_ARGS 8
 
@@ -96,6 +98,8 @@
 	gint r_watch_source_id;
 	gint w_watch_source_id;
 	gint ping_source_id;
+
+	otr_t *otr;            /* OTR state and book keeping */
 } irc_t;
 
 #include "user.h"
diff -Naur bitlbee-1.2.3/lib/ssl_bogus.c bitlbee-otr-1.2.3/lib/ssl_bogus.c
--- bitlbee-1.2.3/lib/ssl_bogus.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/lib/ssl_bogus.c	Sun Feb  8 02:03:37 2009
@@ -27,6 +27,10 @@
 
 int ssl_errno;
 
+void ssl_init( void )
+{
+}
+
 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
 {
 	return( NULL );
diff -Naur bitlbee-1.2.3/lib/ssl_client.h bitlbee-otr-1.2.3/lib/ssl_client.h
--- bitlbee-1.2.3/lib/ssl_client.h	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/lib/ssl_client.h	Sun Feb  8 02:02:05 2009
@@ -46,6 +46,9 @@
 typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition);
 
 
+/* Perform any global initialization the SSL library might need. */
+G_MODULE_EXPORT void ssl_init( void );
+
 /* Connect to host:port, call the given function when the connection is
    ready to be used for SSL traffic. This is all done asynchronously, no
    blocking I/O! (Except for the DNS lookups, for now...) */
diff -Naur bitlbee-1.2.3/lib/ssl_gnutls.c bitlbee-otr-1.2.3/lib/ssl_gnutls.c
--- bitlbee-1.2.3/lib/ssl_gnutls.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/lib/ssl_gnutls.c	Sun Feb  8 02:01:17 2009
@@ -60,6 +60,13 @@
 static gboolean ssl_handshake( gpointer data, gint source, b_input_condition cond );
 
 
+void ssl_init( void )
+{
+	gnutls_global_init();
+	initialized = TRUE;
+	atexit( gnutls_global_deinit );
+}
+
 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
@@ -121,9 +128,7 @@
 	
 	if( !initialized )
 	{
-		gnutls_global_init();
-		initialized = TRUE;
-		atexit( gnutls_global_deinit );
+		ssl_init();
 	}
 	
 	gnutls_certificate_allocate_credentials( &conn->xcred );
diff -Naur bitlbee-1.2.3/lib/ssl_nss.c bitlbee-otr-1.2.3/lib/ssl_nss.c
--- bitlbee-1.2.3/lib/ssl_nss.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/lib/ssl_nss.c	Sun Feb  8 02:01:13 2009
@@ -90,6 +90,14 @@
 }
 
 
+void ssl_init( void )
+{
+	PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+	NSS_NoDB_Init(NULL);
+	NSS_SetDomesticPolicy();
+	initialized = TRUE;
+}
+
 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
@@ -106,9 +114,7 @@
 	
 	if( !initialized )
 	{
-		PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-		NSS_NoDB_Init(NULL);
-		NSS_SetDomesticPolicy();
+		ssl_init();
 	}
 
 	
diff -Naur bitlbee-1.2.3/lib/ssl_openssl.c bitlbee-otr-1.2.3/lib/ssl_openssl.c
--- bitlbee-1.2.3/lib/ssl_openssl.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/lib/ssl_openssl.c	Sun Feb  8 02:00:39 2009
@@ -56,6 +56,12 @@
 static gboolean ssl_handshake( gpointer data, gint source, b_input_condition cond );
 
 
+void ssl_init( void )
+{
+	initialized = TRUE;
+	SSLeay_add_ssl_algorithms();
+}
+
 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
@@ -114,8 +120,7 @@
 	
 	if( !initialized )
 	{
-		initialized = TRUE;
-		SSLeay_add_ssl_algorithms();
+		ssl_init();
 	}
 	
 	meth = TLSv1_client_method();
diff -Naur bitlbee-1.2.3/otr.c bitlbee-otr-1.2.3/otr.c
--- bitlbee-1.2.3/otr.c	Thu Jan  1 00:00:00 1970
+++ bitlbee-otr-1.2.3/otr.c	Sat Feb  7 09:16:38 2009
@@ -0,0 +1,1709 @@
+  /********************************************************************\
+  * BitlBee -- An IRC to other IM-networks gateway                     *
+  *                                                                    *
+  * Copyright 2002-2008 Wilmer van der Gaast and others                *
+  \********************************************************************/
+
+/*
+  OTR support (cf. http://www.cypherpunks.ca/otr/)
+  
+  2008, Sven Moritz Hallberg <pesco@khjk.org>
+  (c) and funded by stonedcoder.org
+    
+  files used to store OTR data:
+    <configdir>/<nick>.otr_keys
+    <configdir>/<nick>.otr_fprints
+    
+  top-level todos: (search for TODO for more ;-))
+    integrate otr_load/otr_save with existing storage backends
+    per-account policy settings
+    per-user policy settings
+*/
+
+/*
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License with
+  the Debian GNU/Linux distribution in /usr/share/common-licenses/GPL;
+  if not, write to the Free Software Foundation, Inc., 59 Temple Place,
+  Suite 330, Boston, MA  02111-1307  USA
+*/
+
+#include "bitlbee.h"
+#ifdef WITH_OTR
+#include "irc.h"
+#include "otr.h"
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <assert.h>
+#include <signal.h>
+
+
+/** OTR interface routines for the OtrlMessageAppOps struct: **/
+
+OtrlPolicy op_policy(void *opdata, ConnContext *context);
+
+void op_create_privkey(void *opdata, const char *accountname, const char *protocol);
+
+int op_is_logged_in(void *opdata, const char *accountname, const char *protocol,
+	const char *recipient);
+
+void op_inject_message(void *opdata, const char *accountname, const char *protocol,
+	const char *recipient, const char *message);
+
+int op_display_otr_message(void *opdata, const char *accountname, const char *protocol,
+	const char *username, const char *msg);
+
+void op_new_fingerprint(void *opdata, OtrlUserState us, const char *accountname,
+	const char *protocol, const char *username, unsigned char fingerprint[20]);
+
+void op_write_fingerprints(void *opdata);
+
+void op_gone_secure(void *opdata, ConnContext *context);
+
+void op_gone_insecure(void *opdata, ConnContext *context);
+
+void op_still_secure(void *opdata, ConnContext *context, int is_reply);
+
+void op_log_message(void *opdata, const char *message);
+
+int op_max_message_size(void *opdata, ConnContext *context);
+
+const char *op_account_name(void *opdata, const char *account, const char *protocol);
+
+
+/** otr sub-command handlers: **/
+
+void cmd_otr_connect(irc_t *irc, char **args);
+void cmd_otr_disconnect(irc_t *irc, char **args);
+void cmd_otr_smp(irc_t *irc, char **args);
+void cmd_otr_trust(irc_t *irc, char **args);
+void cmd_otr_info(irc_t *irc, char **args);
+void cmd_otr_keygen(irc_t *irc, char **args);
+void cmd_otr_forget(irc_t *irc, char **args);
+
+const command_t otr_commands[] = {
+	{ "connect",     1, &cmd_otr_connect,    0 },
+	{ "disconnect",  1, &cmd_otr_disconnect, 0 },
+	{ "smp",         2, &cmd_otr_smp,        0 },
+	{ "trust",       6, &cmd_otr_trust,      0 },
+	{ "info",        0, &cmd_otr_info,       0 },
+	{ "keygen",      1, &cmd_otr_keygen,     0 },
+	{ "forget",      2, &cmd_otr_forget,     0 },
+	{ NULL }
+};
+
+typedef struct {
+	void *fst;
+	void *snd;
+} pair_t;	
+
+
+/** misc. helpers/subroutines: **/
+
+/* check whether we are already generating a key for a given account */
+int keygen_in_progress(irc_t *irc, const char *handle, const char *protocol);
+
+/* start background process to generate a (new) key for a given account */
+void otr_keygen(irc_t *irc, const char *handle, const char *protocol);
+
+/* main function for the forked keygen slave */
+void keygen_child_main(OtrlUserState us, int infd, int outfd);
+
+/* mainloop handler for when a keygen finishes */
+gboolean keygen_finish_handler(gpointer data, gint fd, b_input_condition cond);
+
+/* copy the contents of file a to file b, overwriting it if it exists */
+void copyfile(const char *a, const char *b);
+
+/* read one line of input from a stream, excluding trailing newline */
+void myfgets(char *s, int size, FILE *stream);
+
+/* some yes/no handlers */
+void yes_keygen(void *data);
+void yes_forget_fingerprint(void *data);
+void yes_forget_context(void *data);
+void yes_forget_key(void *data);
+
+/* helper to make sure accountname and protocol match the incoming "opdata" */
+struct im_connection *check_imc(void *opdata, const char *accountname,
+	const char *protocol);
+
+/* determine the nick for a given handle/protocol pair
+   returns "handle/protocol" if not found */
+const char *peernick(irc_t *irc, const char *handle, const char *protocol);
+
+/* turn a hexadecimal digit into its numerical value */
+int hexval(char a);
+
+/* determine the user_t for a given handle/protocol pair
+   returns NULL if not found */
+user_t *peeruser(irc_t *irc, const char *handle, const char *protocol);
+
+/* handle SMP TLVs from a received message */
+void otr_handle_smp(struct im_connection *ic, const char *handle, OtrlTLV *tlvs);
+
+/* update op/voice flag of given user according to encryption state and settings
+   returns 0 if neither op_buddies nor voice_buddies is set to "encrypted",
+   i.e. msgstate should be announced seperately */
+int otr_update_modeflags(irc_t *irc, user_t *u);
+
+/* show general info about the OTR subsystem; called by 'otr info' */
+void show_general_otr_info(irc_t *irc);
+
+/* show info about a given OTR context */
+void show_otr_context_info(irc_t *irc, ConnContext *ctx);
+
+/* show the list of fingerprints associated with a given context */
+void show_fingerprints(irc_t *irc, ConnContext *ctx);
+
+/* find a fingerprint by prefix (given as any number of hex strings) */
+Fingerprint *match_fingerprint(irc_t *irc, ConnContext *ctx, const char **args);
+
+/* find a private key by fingerprint prefix (given as any number of hex strings) */
+OtrlPrivKey *match_privkey(irc_t *irc, const char **args);
+
+
+/*** routines declared in otr.h: ***/
+
+void otr_init(void)
+{
+	OTRL_INIT;
+	
+	/* fill global OtrlMessageAppOps */
+	global.otr_ops.policy = &op_policy;
+	global.otr_ops.create_privkey = &op_create_privkey;
+	global.otr_ops.is_logged_in = &op_is_logged_in;
+	global.otr_ops.inject_message = &op_inject_message;
+	global.otr_ops.notify = NULL;
+	global.otr_ops.display_otr_message = &op_display_otr_message;
+	global.otr_ops.update_context_list = NULL;
+	global.otr_ops.protocol_name = NULL;
+	global.otr_ops.protocol_name_free = NULL;
+	global.otr_ops.new_fingerprint = &op_new_fingerprint;
+	global.otr_ops.write_fingerprints = &op_write_fingerprints;
+	global.otr_ops.gone_secure = &op_gone_secure;
+	global.otr_ops.gone_insecure = &op_gone_insecure;
+	global.otr_ops.still_secure = &op_still_secure;
+	global.otr_ops.log_message = &op_log_message;
+	global.otr_ops.max_message_size = &op_max_message_size;
+	global.otr_ops.account_name = &op_account_name;
+	global.otr_ops.account_name_free = NULL;
+}
+
+otr_t *otr_new(void)
+{
+	otr_t *otr = g_new0(otr_t, 1);
+
+	otr->us = otrl_userstate_create();
+	
+	return otr;
+}
+
+void otr_free(otr_t *otr)
+{
+	otrl_userstate_free(otr->us);
+	if(otr->keygen) {
+		kill(otr->keygen, SIGTERM);
+		waitpid(otr->keygen, NULL, 0);
+		/* TODO: remove stale keygen tempfiles */
+	}
+	if(otr->to)
+		fclose(otr->to);
+	if(otr->from)
+		fclose(otr->from);
+	while(otr->todo) {
+		kg_t *p = otr->todo;
+		otr->todo = p->next;
+		g_free(p);
+	}
+	g_free(otr);
+}
+
+void otr_load(irc_t *irc)
+{
+	char s[512];
+	account_t *a;
+	gcry_error_t e;
+	gcry_error_t enoent = gcry_error_from_errno(ENOENT);
+	int kg=0;
+
+	g_snprintf(s, 511, "%s%s.otr_keys", global.conf->configdir, irc->nick);
+	e = otrl_privkey_read(irc->otr->us, s);
+	if(e && e!=enoent) {
+		irc_usermsg(irc, "otr load: %s: %s", s, gcry_strerror(e));
+	}
+	g_snprintf(s, 511, "%s%s.otr_fprints", global.conf->configdir, irc->nick);
+	e = otrl_privkey_read_fingerprints(irc->otr->us, s, NULL, NULL);
+	if(e && e!=enoent) {
+		irc_usermsg(irc, "otr load: %s: %s", s, gcry_strerror(e));
+	}
+	
+	/* check for otr keys on all accounts */
+	for(a=irc->accounts; a; a=a->next) {
+		kg = otr_check_for_key(a) || kg;
+	}
+	if(kg) {
+		irc_usermsg(irc, "Notice: "
+			"The accounts above do not have OTR encryption keys associated with them, yet. "
+			"These keys are now being generated in the background. "
+			"You will be notified as they are completed. "
+			"It is not necessary to wait; "
+			"BitlBee can be used normally during key generation. "
+			"You may safely ignore this message if you don't know what OTR is. ;)");
+	}
+}
+
+void otr_save(irc_t *irc)
+{
+	char s[512];
+	gcry_error_t e;
+
+	g_snprintf(s, 511, "%s%s.otr_fprints", global.conf->configdir, irc->nick);
+	e = otrl_privkey_write_fingerprints(irc->otr->us, s);
+	if(e) {
+		irc_usermsg(irc, "otr save: %s: %s", s, gcry_strerror(e));
+	}
+	chmod(s, 0600);
+}
+
+void otr_remove(const char *nick)
+{
+	char s[512];
+	
+	g_snprintf(s, 511, "%s%s.otr_keys", global.conf->configdir, nick);
+	unlink(s);
+	g_snprintf(s, 511, "%s%s.otr_fprints", global.conf->configdir, nick);
+	unlink(s);
+}
+
+void otr_rename(const char *onick, const char *nnick)
+{
+	char s[512], t[512];
+	
+	g_snprintf(s, 511, "%s%s.otr_keys", global.conf->configdir, onick);
+	g_snprintf(t, 511, "%s%s.otr_keys", global.conf->configdir, nnick);
+	rename(s,t);
+	g_snprintf(s, 511, "%s%s.otr_fprints", global.conf->configdir, onick);
+	g_snprintf(t, 511, "%s%s.otr_fprints", global.conf->configdir, nnick);
+	rename(s,t);
+}
+
+int otr_check_for_key(account_t *a)
+{
+	irc_t *irc = a->irc;
+	OtrlPrivKey *k;
+	
+	k = otrl_privkey_find(irc->otr->us, a->user, a->prpl->name);
+	if(k) {
+		irc_usermsg(irc, "otr: %s/%s ready", a->user, a->prpl->name);
+		return 0;
+	} if(keygen_in_progress(irc, a->user, a->prpl->name)) {
+		irc_usermsg(irc, "otr: keygen for %s/%s already in progress", a->user, a->prpl->name);
+		return 0;
+	} else {
+		irc_usermsg(irc, "otr: starting background keygen for %s/%s", a->user, a->prpl->name);
+		otr_keygen(irc, a->user, a->prpl->name);
+		return 1;
+	}
+}
+
+char *otr_handle_message(struct im_connection *ic, const char *handle, const char *msg)
+{
+	int ignore_msg;
+	char *newmsg = NULL;
+	OtrlTLV *tlvs = NULL;
+	char *colormsg;
+	
+	ignore_msg = otrl_message_receiving(ic->irc->otr->us, &global.otr_ops, ic,
+		ic->acc->user, ic->acc->prpl->name, handle, msg, &newmsg,
+		&tlvs, NULL, NULL);
+
+	otr_handle_smp(ic, handle, tlvs);
+	
+	if(ignore_msg) {
+		/* this was an internal OTR protocol message */
+		return NULL;
+	} else if(!newmsg) {
+		/* this was a non-OTR message */
+		return g_strdup(msg);
+	} else {
+		/* OTR has processed this message */
+		ConnContext *context = otrl_context_find(ic->irc->otr->us, handle,
+			ic->acc->user, ic->acc->prpl->name, 0, NULL, NULL, NULL);
+		if(context && context->msgstate == OTRL_MSGSTATE_ENCRYPTED &&
+		   set_getbool(&ic->irc->set, "color_encrypted")) {
+			/* color according to f'print trust */
+			int color;
+			const char *trust = context->active_fingerprint->trust;
+			if(trust && trust[0] != '\0')
+				color=3;   /* green */
+			else
+				color=5;   /* red */
+			colormsg = g_strdup_printf("\x03%.2d,00%s\x0F", color, newmsg);
+		} else {
+			colormsg = g_strdup(newmsg);
+		}
+		otrl_message_free(newmsg);
+		return colormsg;
+	}
+}
+
+int otr_send_message(struct im_connection *ic, const char *handle, const char *msg, int flags)
+{	
+	int st;
+	char *otrmsg = NULL;
+	ConnContext *ctx = NULL;
+	
+	st = otrl_message_sending(ic->irc->otr->us, &global.otr_ops, ic,
+		ic->acc->user, ic->acc->prpl->name, handle,
+		msg, NULL, &otrmsg, NULL, NULL);
+	if(st) {
+		return st;
+	}
+
+	ctx = otrl_context_find(ic->irc->otr->us,
+			handle, ic->acc->user, ic->acc->prpl->name,
+			1, NULL, NULL, NULL);
+
+	if(otrmsg) {
+		if(!ctx) {
+			otrl_message_free(otrmsg);
+			return 1;
+		}
+		st = otrl_message_fragment_and_send(&global.otr_ops, ic, ctx,
+			otrmsg, OTRL_FRAGMENT_SEND_ALL, NULL);
+		otrl_message_free(otrmsg);
+	} else {
+		/* note: otrl_message_sending handles policy, so that if REQUIRE_ENCRYPTION is set,
+		   this case does not occur */
+		st = ic->acc->prpl->buddy_msg( ic, (char *)handle, (char *)msg, flags );
+	}
+	
+	return st;
+}
+
+void cmd_otr(irc_t *irc, char **args)
+{
+	const command_t *cmd;
+	
+	if(!args[0])
+		return;
+	
+	if(!args[1])
+		return;
+	
+	for(cmd=otr_commands; cmd->command; cmd++) {
+		if(strcmp(cmd->command, args[1]) == 0)
+			break;
+	}
+	
+	if(!cmd->command) {
+		irc_usermsg(irc, "%s: unknown subcommand \"%s\", see \x02help otr\x02",
+			args[0], args[1]);
+		return;
+	}
+	
+	if(!args[cmd->required_parameters+1]) {
+		irc_usermsg(irc, "%s %s: not enough arguments (%d req.)",
+			args[0], args[1], cmd->required_parameters);
+		return;
+	}
+	
+	cmd->execute(irc, args+1);
+}
+
+
+/*** OTR "MessageAppOps" callbacks for global.otr_ui: ***/
+
+OtrlPolicy op_policy(void *opdata, ConnContext *context)
+{
+	struct im_connection *ic = check_imc(opdata, context->accountname, context->protocol);
+	const char *p;
+	
+	/* policy override during keygen: if we're missing the key for context but are currently
+	   generating it, then that's as much as we can do. => temporarily return NEVER. */
+	if(keygen_in_progress(ic->irc, context->accountname, context->protocol) &&
+	   !otrl_privkey_find(ic->irc->otr->us, context->accountname, context->protocol))
+		return OTRL_POLICY_NEVER;
+
+	p = set_getstr(&ic->irc->set, "otr_policy");
+	if(!strcmp(p, "never"))
+		return OTRL_POLICY_NEVER;
+	if(!strcmp(p, "opportunistic"))
+		return OTRL_POLICY_OPPORTUNISTIC;
+	if(!strcmp(p, "manual"))
+		return OTRL_POLICY_MANUAL;
+	if(!strcmp(p, "always"))
+		return OTRL_POLICY_ALWAYS;
+	
+	return OTRL_POLICY_OPPORTUNISTIC;
+}
+
+void op_create_privkey(void *opdata, const char *accountname,
+	const char *protocol)
+{
+	struct im_connection *ic = check_imc(opdata, accountname, protocol);
+	
+	/* will fail silently if keygen already in progress */
+	otr_keygen(ic->irc, accountname, protocol);
+}
+
+int op_is_logged_in(void *opdata, const char *accountname,
+	const char *protocol, const char *recipient)
+{
+	struct im_connection *ic = check_imc(opdata, accountname, protocol);
+	user_t *u;
+
+	/* lookup the user_t for the given recipient */
+	u = user_findhandle(ic, recipient);
+	if(u) {
+		if(u->online)
+			return 1;
+		else
+			return 0;
+	} else {
+		return -1;
+	}
+}
+
+void op_inject_message(void *opdata, const char *accountname,
+	const char *protocol, const char *recipient, const char *message)
+{
+	struct im_connection *ic = check_imc(opdata, accountname, protocol);
+
+	if (strcmp(accountname, recipient) == 0) {
+		/* huh? injecting messages to myself? */
+		irc_usermsg(ic->irc, "note to self: %s", message);
+	} else {
+		/* need to drop some consts here :-( */
+		/* TODO: get flags into op_inject_message?! */
+		ic->acc->prpl->buddy_msg(ic, (char *)recipient, (char *)message, 0);
+		/* ignoring return value :-/ */
+	}
+}
+
+int op_display_otr_message(void *opdata, const char *accountname,
+	const char *protocol, const char *username, const char *message)
+{
+	struct im_connection *ic = check_imc(opdata, accountname, protocol);
+	char *msg = g_strdup(message);
+
+	strip_html(msg);
+	irc_usermsg(ic->irc, "otr: %s", msg);
+
+	g_free(msg);
+	return 0;
+}
+
+void op_new_fingerprint(void *opdata, OtrlUserState us,
+	const char *accountname, const char *protocol,
+	const char *username, unsigned char fingerprint[20])
+{
+	struct im_connection *ic = check_imc(opdata, accountname, protocol);
+	char hunam[45];		/* anybody looking? ;-) */
+	
+	otrl_privkey_hash_to_human(hunam, fingerprint);
+	irc_usermsg(ic->irc, "new fingerprint for %s: %s",
+		peernick(ic->irc, username, protocol), hunam);
+}
+
+void op_write_fingerprints(void *opdata)
+{
+	struct im_connection *ic = (struct im_connection *)opdata;
+
+	otr_save(ic->irc);
+}
+
+void op_gone_secure(void *opdata, ConnContext *context)
+{
+	struct im_connection *ic =
+		check_imc(opdata, context->accountname, context->protocol);
+	user_t *u;
+	const char *trust;
+
+	u = peeruser(ic->irc, context->username, context->protocol);
+	if(!u) {
+		log_message(LOGLVL_ERROR,
+			"BUG: otr.c: op_gone_secure: user_t for %s/%s/%s not found!",
+			context->username, context->protocol, context->accountname);
+		return;
+	}
+	
+	trust = context->active_fingerprint->trust;
+	if(trust && trust[0])
+		u->encrypted = 2;
+	else
+		u->encrypted = 1;
+	if(!otr_update_modeflags(ic->irc, u))
+		irc_usermsg(ic->irc, "conversation with %s is now off the record", u->nick);
+}
+
+void op_gone_insecure(void *opdata, ConnContext *context)
+{
+	struct im_connection *ic =
+		check_imc(opdata, context->accountname, context->protocol);
+	user_t *u;
+
+	u = peeruser(ic->irc, context->username, context->protocol);
+	if(!u) {
+		log_message(LOGLVL_ERROR,
+			"BUG: otr.c: op_gone_insecure: user_t for %s/%s/%s not found!",
+			context->username, context->protocol, context->accountname);
+		return;
+	}
+	u->encrypted = 0;
+	if(!otr_update_modeflags(ic->irc, u))
+		irc_usermsg(ic->irc, "conversation with %s is now in the clear", u->nick);
+}
+
+void op_still_secure(void *opdata, ConnContext *context, int is_reply)
+{
+	struct im_connection *ic =
+		check_imc(opdata, context->accountname, context->protocol);
+	user_t *u;
+
+	u = peeruser(ic->irc, context->username, context->protocol);
+	if(!u) {
+		log_message(LOGLVL_ERROR,
+			"BUG: otr.c: op_still_secure: user_t for %s/%s/%s not found!",
+			context->username, context->protocol, context->accountname);
+		return;
+	}
+	if(context->active_fingerprint->trust[0])
+		u->encrypted = 2;
+	else
+		u->encrypted = 1;
+	if(!otr_update_modeflags(ic->irc, u))
+		irc_usermsg(ic->irc, "otr connection with %s has been refreshed", u->nick);
+}
+
+void op_log_message(void *opdata, const char *message)
+{
+	char *msg = g_strdup(message);
+	
+	strip_html(msg);
+	log_message(LOGLVL_INFO, "otr: %s", msg);
+	g_free(msg);
+}
+
+int op_max_message_size(void *opdata, ConnContext *context)
+{
+	struct im_connection *ic =
+		check_imc(opdata, context->accountname, context->protocol);
+
+	return ic->acc->prpl->mms;
+}
+
+const char *op_account_name(void *opdata, const char *account, const char *protocol)
+{
+	struct im_connection *ic = (struct im_connection *)opdata;
+
+	return peernick(ic->irc, account, protocol);
+}
+
+
+/*** OTR sub-command handlers ***/
+
+void cmd_otr_disconnect(irc_t *irc, char **args)
+{
+	user_t *u;
+
+	u = user_find(irc, args[1]);
+	if(!u || !u->ic) {
+		irc_usermsg(irc, "%s: unknown user", args[1]);
+		return;
+	}
+	
+	otrl_message_disconnect(irc->otr->us, &global.otr_ops,
+		u->ic, u->ic->acc->user, u->ic->acc->prpl->name, u->handle);
+	
+	/* for some reason, libotr (3.1.0) doesn't do this itself: */
+	if(u->encrypted) {
+		ConnContext *ctx;
+		ctx = otrl_context_find(irc->otr->us, u->handle, u->ic->acc->user,
+			u->ic->acc->prpl->name, 0, NULL, NULL, NULL);
+		if(ctx)
+			op_gone_insecure(u->ic, ctx);
+		else /* huh? */
+			u->encrypted = 0;
+	}
+}
+
+void cmd_otr_connect(irc_t *irc, char **args)
+{
+	user_t *u;
+
+	u = user_find(irc, args[1]);
+	if(!u || !u->ic) {
+		irc_usermsg(irc, "%s: unknown user", args[1]);
+		return;
+	}
+	if(!u->online) {
+		irc_usermsg(irc, "%s is offline", args[1]);
+		return;
+	}
+	
+	imc_buddy_msg(u->ic, u->handle, "?OTR?", 0);
+}
+
+void cmd_otr_smp(irc_t *irc, char **args)
+{
+	user_t *u;
+	ConnContext *ctx;
+	
+	u = user_find(irc, args[1]);
+	if(!u || !u->ic) {
+		irc_usermsg(irc, "%s: unknown user", args[1]);
+		return;
+	}
+	if(!u->online) {
+		irc_usermsg(irc, "%s is offline", args[1]);
+		return;
+	}
+	
+	ctx = otrl_context_find(irc->otr->us, u->handle,
+		u->ic->acc->user, u->ic->acc->prpl->name, 1, NULL, NULL, NULL);
+	if(!ctx) {
+		/* huh? out of memory or what? */
+		return;
+	}
+
+	if(ctx->smstate->nextExpected != OTRL_SMP_EXPECT1) {
+		log_message(LOGLVL_INFO,
+			"SMP already in phase %d, sending abort before reinitiating",
+			ctx->smstate->nextExpected+1);
+		otrl_message_abort_smp(irc->otr->us, &global.otr_ops, u->ic, ctx);
+		otrl_sm_state_free(ctx->smstate);
+	}
+	
+	/* warning: the following assumes that smstates are cleared whenever an SMP
+	   is completed or aborted! */ 
+	if(ctx->smstate->secret == NULL) {
+		irc_usermsg(irc, "smp: initiating with %s...", u->nick);
+		otrl_message_initiate_smp(irc->otr->us, &global.otr_ops,
+			u->ic, ctx, (unsigned char *)args[2], strlen(args[2]));
+		/* smp is now in EXPECT2 */
+	} else {
+		/* if we're still in EXPECT1 but smstate is initialized, we must have
+		   received the SMP1, so let's issue a response */
+		irc_usermsg(irc, "smp: responding to %s...", u->nick);
+		otrl_message_respond_smp(irc->otr->us, &global.otr_ops,
+			u->ic, ctx, (unsigned char *)args[2], strlen(args[2]));
+		/* smp is now in EXPECT3 */
+	}
+}
+
+void cmd_otr_trust(irc_t *irc, char **args)
+{
+	user_t *u;
+	ConnContext *ctx;
+	unsigned char raw[20];
+	Fingerprint *fp;
+	int i,j;
+	
+	u = user_find(irc, args[1]);
+	if(!u || !u->ic) {
+		irc_usermsg(irc, "%s: unknown user", args[1]);
+		return;
+	}
+	
+	ctx = otrl_context_find(irc->otr->us, u->handle,
+		u->ic->acc->user, u->ic->acc->prpl->name, 0, NULL, NULL, NULL);
+	if(!ctx) {
+		irc_usermsg(irc, "%s: no otr context with user", args[1]);
+		return;
+	}
+	
+	/* convert given fingerprint to raw representation */
+	for(i=0; i<5; i++) {
+		for(j=0; j<4; j++) {
+			char *p = args[2+i]+(2*j);
+			char *q = p+1;
+			int x, y;
+			
+			if(!*p || !*q) {
+				irc_usermsg(irc, "failed: truncated fingerprint block %d", i+1);
+				return;
+			}
+			
+			x = hexval(*p);
+			y = hexval(*q);
+			if(x<0) {
+				irc_usermsg(irc, "failed: %d. hex digit of block %d out of range", 2*j+1, i+1);
+				return;
+			}
+			if(y<0) {
+				irc_usermsg(irc, "failed: %d. hex digit of block %d out of range", 2*j+2, i+1);
+				return;
+			}
+
+			raw[i*4+j] = x*16 + y;
+		}
+	}
+	fp = otrl_context_find_fingerprint(ctx, raw, 0, NULL);
+	if(!fp) {
+		irc_usermsg(irc, "failed: no such fingerprint for %s", args[1]);
+	} else {
+		char *trust = args[7] ? args[7] : "affirmed";
+		otrl_context_set_trust(fp, trust);
+		irc_usermsg(irc, "fingerprint match, trust set to \"%s\"", trust);
+		if(u->encrypted)
+			u->encrypted = 2;
+		otr_update_modeflags(irc, u);
+	}
+}
+
+void cmd_otr_info(irc_t *irc, char **args)
+{
+	if(!args[1]) {
+		show_general_otr_info(irc);
+	} else {
+		char *arg = g_strdup(args[1]);
+		char *myhandle, *handle=NULL, *protocol;
+		ConnContext *ctx;
+		
+		/* interpret arg as 'user/protocol/account' if possible */
+		protocol = strchr(arg, '/');
+		myhandle = NULL;
+		if(protocol) {
+			*(protocol++) = '\0';
+			myhandle = strchr(protocol, '/');
+		}
+		if(protocol && myhandle) {
+			*(myhandle++) = '\0';
+			handle = arg;
+			ctx = otrl_context_find(irc->otr->us, handle, myhandle, protocol, 0, NULL, NULL, NULL);
+			if(!ctx) {
+				irc_usermsg(irc, "no such context");
+				g_free(arg);
+				return;
+			}
+		} else {
+			user_t *u = user_find(irc, args[1]);
+			if(!u || !u->ic) {
+				irc_usermsg(irc, "%s: unknown user", args[1]);
+				g_free(arg);
+				return;
+			}
+			ctx = otrl_context_find(irc->otr->us, u->handle, u->ic->acc->user,
+				u->ic->acc->prpl->name, 0, NULL, NULL, NULL);
+			if(!ctx) {
+				irc_usermsg(irc, "no otr context with %s", args[1]);
+				g_free(arg);
+				return;
+			}
+		}
+	
+		/* show how we resolved the (nick) argument, if we did */
+		if(handle!=arg) {
+			irc_usermsg(irc, "%s is %s/%s; we are %s/%s to them", args[1],
+				ctx->username, ctx->protocol, ctx->accountname, ctx->protocol);
+		}
+		show_otr_context_info(irc, ctx);
+		g_free(arg);
+	}
+}
+
+void cmd_otr_keygen(irc_t *irc, char **args)
+{
+	int i, n;
+	account_t *a;
+	
+	n = atoi(args[1]);
+	if(n<0 || (!n && strcmp(args[1], "0"))) {
+		irc_usermsg(irc, "%s: invalid account number", args[1]);
+		return;
+	}
+	
+	a = irc->accounts;
+	for(i=0; i<n && a; i++, a=a->next);
+	if(!a) {
+		irc_usermsg(irc, "%s: no such account", args[1]);
+		return;
+	}
+	
+	if(keygen_in_progress(irc, a->user, a->prpl->name)) {
+		irc_usermsg(irc, "keygen for account %d already in progress", n);
+		return;
+	}
+	
+	if(otrl_privkey_find(irc->otr->us, a->user, a->prpl->name)) {
+		char *s = g_strdup_printf("account %d already has a key, replace it?", n);
+		query_add(irc, NULL, s, yes_keygen, NULL, a);
+		g_free(s);
+	} else {
+		otr_keygen(irc, a->user, a->prpl->name);
+	}
+}
+
+void yes_forget_fingerprint(void *data)
+{
+	pair_t *p = (pair_t *)data;
+	irc_t *irc = (irc_t *)p->fst;
+	Fingerprint *fp = (Fingerprint *)p->snd;
+
+	g_free(p);
+	
+	if(fp == fp->context->active_fingerprint) {
+		irc_usermsg(irc, "that fingerprint is active, terminate otr connection first");
+		return;
+	}
+		
+	otrl_context_forget_fingerprint(fp, 0);
+}
+
+void yes_forget_context(void *data)
+{
+	pair_t *p = (pair_t *)data;
+	irc_t *irc = (irc_t *)p->fst;
+	ConnContext *ctx = (ConnContext *)p->snd;
+
+	g_free(p);
+	
+	if(ctx->msgstate == OTRL_MSGSTATE_ENCRYPTED) {
+		irc_usermsg(irc, "active otr connection with %s, terminate it first",
+			peernick(irc, ctx->username, ctx->protocol));
+		return;
+	}
+		
+	if(ctx->msgstate == OTRL_MSGSTATE_FINISHED)
+		otrl_context_force_plaintext(ctx);
+	otrl_context_forget(ctx);
+}
+
+void yes_forget_key(void *data)
+{
+	OtrlPrivKey *key = (OtrlPrivKey *)data;
+	
+	otrl_privkey_forget(key);
+	/* Hm, libotr doesn't seem to offer a function for explicitly /writing/
+	   keyfiles. So the key will be back on the next load... */
+	/* TODO: Actually erase forgotten keys from storage? */
+}
+
+void cmd_otr_forget(irc_t *irc, char **args)
+{
+	if(!strcmp(args[1], "fingerprint"))
+	{
+		user_t *u;
+		ConnContext *ctx;
+		Fingerprint *fp;
+		char human[54];
+		char *s;
+		pair_t *p;
+		
+		if(!args[3]) {
+			irc_usermsg(irc, "otr %s %s: not enough arguments (2 req.)", args[0], args[1]);
+			return;
+		}
+		
+		/* TODO: allow context specs ("user/proto/account") in 'otr forget fingerprint'? */
+		u = user_find(irc, args[2]);
+		if(!u || !u->ic) {
+			irc_usermsg(irc, "%s: unknown user", args[2]);
+			return;
+		}
+		
+		ctx = otrl_context_find(irc->otr->us, u->handle, u->ic->acc->user,
+			u->ic->acc->prpl->name, 0, NULL, NULL, NULL);
+		if(!ctx) {
+			irc_usermsg(irc, "no otr context with %s", args[2]);
+			return;
+		}
+		
+		fp = match_fingerprint(irc, ctx, ((const char **)args)+3);
+		if(!fp) {
+			/* match_fingerprint does error messages */
+			return;
+		}
+		
+		if(fp == ctx->active_fingerprint) {
+			irc_usermsg(irc, "that fingerprint is active, terminate otr connection first");
+			return;
+		}
+		
+		otrl_privkey_hash_to_human(human, fp->fingerprint);
+		s = g_strdup_printf("about to forget fingerprint %s, are you sure?", human);
+		p = g_malloc(sizeof(pair_t));
+		if(!p)
+			return;
+		p->fst = irc;
+		p->snd = fp;
+		query_add(irc, NULL, s, yes_forget_fingerprint, NULL, p);
+		g_free(s);
+	}
+	
+	else if(!strcmp(args[1], "context"))
+	{
+		user_t *u;
+		ConnContext *ctx;
+		char *s;
+		pair_t *p;
+		
+		/* TODO: allow context specs ("user/proto/account") in 'otr forget contex'? */
+		u = user_find(irc, args[2]);
+		if(!u || !u->ic) {
+			irc_usermsg(irc, "%s: unknown user", args[2]);
+			return;
+		}
+		
+		ctx = otrl_context_find(irc->otr->us, u->handle, u->ic->acc->user,
+			u->ic->acc->prpl->name, 0, NULL, NULL, NULL);
+		if(!ctx) {
+			irc_usermsg(irc, "no otr context with %s", args[2]);
+			return;
+		}
+		
+		if(ctx->msgstate == OTRL_MSGSTATE_ENCRYPTED) {
+			irc_usermsg(irc, "active otr connection with %s, terminate it first", args[2]);
+			return;
+		}
+		
+		s = g_strdup_printf("about to forget otr data about %s, are you sure?", args[2]);
+		p = g_malloc(sizeof(pair_t));
+		if(!p)
+			return;
+		p->fst = irc;
+		p->snd = ctx;
+		query_add(irc, NULL, s, yes_forget_context, NULL, p);
+		g_free(s);
+	}
+	
+	else if(!strcmp(args[1], "key"))
+	{
+		OtrlPrivKey *key;
+		char *s;
+		
+		key = match_privkey(irc, ((const char **)args)+2);
+		if(!key) {
+			/* match_privkey does error messages */
+			return;
+		}
+		
+		s = g_strdup_printf("about to forget the private key for %s/%s, are you sure?",
+			key->accountname, key->protocol);
+		query_add(irc, NULL, s, yes_forget_key, NULL, key);
+		g_free(s);
+	}
+	
+	else
+	{
+		irc_usermsg(irc, "otr %s: unknown subcommand \"%s\", see \x02help otr forget\x02",
+			args[0], args[1]);
+	}
+}
+
+
+/*** local helpers / subroutines: ***/
+
+/* Socialist Millionaires' Protocol */
+void otr_handle_smp(struct im_connection *ic, const char *handle, OtrlTLV *tlvs)
+{
+	irc_t *irc = ic->irc;
+	OtrlUserState us = irc->otr->us;
+	OtrlMessageAppOps *ops = &global.otr_ops;
+	OtrlTLV *tlv = NULL;
+	ConnContext *context;
+	NextExpectedSMP nextMsg;
+	user_t *u;
+
+	u = user_findhandle(ic, handle);
+	if(!u) return;
+	context = otrl_context_find(us, handle,
+		ic->acc->user, ic->acc->prpl->name, 1, NULL, NULL, NULL);
+	if(!context) {
+		/* huh? out of memory or what? */
+		return;
+	}
+	nextMsg = context->smstate->nextExpected;
+
+	tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP1);
+	if (tlv) {
+		if (nextMsg != OTRL_SMP_EXPECT1) {
+			irc_usermsg(irc, "smp %s: spurious SMP1 received, aborting", u->nick);
+			otrl_message_abort_smp(us, ops, u->ic, context);
+			otrl_sm_state_free(context->smstate);
+		} else {
+			irc_usermsg(irc, "smp: initiated by %s"
+				" - respond with \x02otr smp %s <secret>\x02",
+				u->nick, u->nick);
+			/* smp stays in EXPECT1 until user responds */
+		}
+	}
+	tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP2);
+	if (tlv) {
+		if (nextMsg != OTRL_SMP_EXPECT2) {
+			irc_usermsg(irc, "smp %s: spurious SMP2 received, aborting", u->nick);
+			otrl_message_abort_smp(us, ops, u->ic, context);
+			otrl_sm_state_free(context->smstate);
+		} else {
+			/* SMP2 received, otrl_message_receiving will have sent SMP3 */
+			context->smstate->nextExpected = OTRL_SMP_EXPECT4;
+		}
+	}
+	tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP3);
+	if (tlv) {
+		if (nextMsg != OTRL_SMP_EXPECT3) {
+			irc_usermsg(irc, "smp %s: spurious SMP3 received, aborting", u->nick);
+			otrl_message_abort_smp(us, ops, u->ic, context);
+			otrl_sm_state_free(context->smstate);
+		} else {
+			/* SMP3 received, otrl_message_receiving will have sent SMP4 and set fp trust */
+			const char *trust = context->active_fingerprint->trust;
+			if(!trust || trust[0]=='\0') {
+				irc_usermsg(irc, "smp %s: secrets did not match, fingerprint not trusted",
+					u->nick);
+			} else {
+				irc_usermsg(irc, "smp %s: secrets proved equal, fingerprint trusted",
+					u->nick);
+			}
+			otrl_sm_state_free(context->smstate);
+			/* smp is in back in EXPECT1 */
+		}
+	}
+	tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP4);
+	if (tlv) {
+		if (nextMsg != OTRL_SMP_EXPECT4) {
+			irc_usermsg(irc, "smp %s: spurious SMP4 received, aborting", u->nick);
+			otrl_message_abort_smp(us, ops, u->ic, context);
+			otrl_sm_state_free(context->smstate);
+		} else {
+			/* SMP4 received, otrl_message_receiving will have set fp trust */
+			const char *trust = context->active_fingerprint->trust;
+			if(!trust || trust[0]=='\0') {
+				irc_usermsg(irc, "smp %s: secrets did not match, fingerprint not trusted",
+					u->nick);
+			} else {
+				irc_usermsg(irc, "smp %s: secrets proved equal, fingerprint trusted",
+					u->nick);
+			}
+			otrl_sm_state_free(context->smstate);
+			/* smp is in back in EXPECT1 */
+		}
+	}
+	tlv = otrl_tlv_find(tlvs, OTRL_TLV_SMP_ABORT);
+	if (tlv) {
+	 	irc_usermsg(irc, "smp: received abort from %s", u->nick);
+		otrl_sm_state_free(context->smstate);
+		/* smp is in back in EXPECT1 */
+	}
+}
+
+/* helper to assert that account and protocol names given to ops below always
+   match the im_connection passed through as opdata */
+struct im_connection *check_imc(void *opdata, const char *accountname,
+	const char *protocol)
+{
+	struct im_connection *ic = (struct im_connection *)opdata;
+
+	if (strcmp(accountname, ic->acc->user) != 0) {
+		log_message(LOGLVL_WARNING,
+			"otr: internal account name mismatch: '%s' vs '%s'",
+			accountname, ic->acc->user);
+	}
+	if (strcmp(protocol, ic->acc->prpl->name) != 0) {
+		log_message(LOGLVL_WARNING,
+			"otr: internal protocol name mismatch: '%s' vs '%s'",
+			protocol, ic->acc->prpl->name);
+	}
+	
+	return ic;
+}
+
+user_t *peeruser(irc_t *irc, const char *handle, const char *protocol)
+{
+	user_t *u;
+	
+	for(u=irc->users; u; u=u->next) {
+		struct prpl *prpl;
+		if(!u->ic || !u->handle)
+			continue;
+		prpl = u->ic->acc->prpl;
+		if(strcmp(prpl->name, protocol) == 0
+			&& prpl->handle_cmp(u->handle, handle) == 0) {
+			return u;
+		}
+	}
+	
+	return NULL;
+}
+
+int hexval(char a)
+{
+	int x=tolower(a);
+	
+	if(x>='a' && x<='f')
+		x = x - 'a' + 10;
+	else if(x>='0' && x<='9')
+		x = x - '0';
+	else
+		return -1;
+	
+	return x;
+}
+
+const char *peernick(irc_t *irc, const char *handle, const char *protocol)
+{
+	static char fallback[512];
+	
+	user_t *u = peeruser(irc, handle, protocol);
+	if(u) {
+		return u->nick;
+	} else {
+		g_snprintf(fallback, 511, "%s/%s", handle, protocol);
+		return fallback;
+	}
+}
+
+int otr_update_modeflags(irc_t *irc, user_t *u)
+{
+	char *vb = set_getstr(&irc->set, "voice_buddies");
+	char *hb = set_getstr(&irc->set, "halfop_buddies");
+	char *ob = set_getstr(&irc->set, "op_buddies");
+	int encrypted = u->encrypted;
+	int trusted = u->encrypted > 1;
+	char flags[7];
+	int nflags=0;
+	char *p = flags;
+	char *from;
+	int i;
+	
+	if(!strcmp(vb, "encrypted")) {
+		*(p++) = encrypted ? '+' : '-';
+		*(p++) = 'v';
+		nflags++;
+	} else if(!strcmp(vb, "trusted")) {
+		*(p++) = trusted ? '+' : '-';
+		*(p++) = 'v';
+		nflags++;
+	}
+	if(!strcmp(hb, "encrypted")) {
+		*(p++) = encrypted ? '+' : '-';
+		*(p++) = 'h';
+		nflags++;
+	} else if(!strcmp(hb, "trusted")) {
+		*(p++) = trusted ? '+' : '-';
+		*(p++) = 'h';
+		nflags++;
+	}
+	if(!strcmp(ob, "encrypted")) {
+		*(p++) = encrypted ? '+' : '-';
+		*(p++) = 'o';
+		nflags++;
+	} else if(!strcmp(ob, "trusted")) {
+		*(p++) = trusted ? '+' : '-';
+		*(p++) = 'o';
+		nflags++;
+	}
+	*p = '\0';
+	
+	p = g_malloc(nflags * (strlen(u->nick)+1) + 1);
+	*p = '\0';
+	if(!p)
+		return 0;
+	for(i=0; i<nflags; i++) {
+		strcat(p, " ");
+		strcat(p, u->nick);
+	}
+	if(set_getbool(&irc->set, "simulate_netsplit"))
+		from = g_strdup(irc->myhost);
+	else
+		from = g_strdup_printf("%s!%s@%s", irc->mynick, irc->mynick, irc->myhost);
+	irc_write(irc, ":%s MODE %s %s%s", from, irc->channel, flags, p);
+	g_free(from);
+	g_free(p);
+		
+	return 1;
+}
+
+void show_fingerprints(irc_t *irc, ConnContext *ctx)
+{
+	char human[45];
+	Fingerprint *fp;
+	const char *trust;
+	int count=0;
+	
+	for(fp=&ctx->fingerprint_root; fp; fp=fp->next) {
+		if(!fp->fingerprint)
+			continue;
+		count++;
+		otrl_privkey_hash_to_human(human, fp->fingerprint);
+		if(!fp->trust || fp->trust[0] == '\0') {
+			trust="untrusted";
+		} else {
+			trust=fp->trust;
+		}
+		if(fp == ctx->active_fingerprint) {
+			irc_usermsg(irc, "    \x02%s (%s)\x02", human, trust);
+		} else {
+			irc_usermsg(irc, "    %s (%s)", human, trust);
+		}
+	}
+	if(count==0)
+		irc_usermsg(irc, "    (none)");
+}
+
+Fingerprint *match_fingerprint(irc_t *irc, ConnContext *ctx, const char **args)
+{
+	Fingerprint *fp, *fp2;
+	char human[45];
+	char prefix[45], *p;
+	int n;
+	int i,j;
+	
+	/* assemble the args into a prefix in standard "human" form */
+	n=0;
+	p=prefix;
+	for(i=0; args[i]; i++) {
+		for(j=0; args[i][j]; j++) {
+			char c = toupper(args[i][j]);
+			
+			if(n>=40) {
+				irc_usermsg(irc, "too many fingerprint digits given, expected at most 40");
+				return NULL;
+			}
+			
+			if( (c>='A' && c<='F') || (c>='0' && c<='9') ) {
+				*(p++) = c;
+			} else {
+				irc_usermsg(irc, "invalid hex digit '%c' in block %d", args[i][j], i+1);
+				return NULL;
+			}
+			
+			n++;
+			if(n%8 == 0)
+				*(p++) = ' ';
+		}
+	}
+	*p = '\0';
+	
+	/* find first fingerprint with the given prefix */
+	n = strlen(prefix);
+	for(fp=&ctx->fingerprint_root; fp; fp=fp->next) {
+		if(!fp->fingerprint)
+			continue;
+		otrl_privkey_hash_to_human(human, fp->fingerprint);
+		if(!strncmp(prefix, human, n))
+			break;
+	}
+	if(!fp) {
+		irc_usermsg(irc, "%s: no match", prefix);
+		return NULL;
+	}
+	
+	/* make sure the match, if any, is unique */
+	for(fp2=fp->next; fp2; fp2=fp2->next) {
+		if(!fp2->fingerprint)
+			continue;
+		otrl_privkey_hash_to_human(human, fp2->fingerprint);
+		if(!strncmp(prefix, human, n))
+			break;
+	}
+	if(fp2) {
+		irc_usermsg(irc, "%s: multiple matches", prefix);
+		return NULL;
+	}
+	
+	return fp;
+}
+
+OtrlPrivKey *match_privkey(irc_t *irc, const char **args)
+{
+	OtrlPrivKey *k, *k2;
+	char human[45];
+	char prefix[45], *p;
+	int n;
+	int i,j;
+	
+	/* assemble the args into a prefix in standard "human" form */
+	n=0;
+	p=prefix;
+	for(i=0; args[i]; i++) {
+		for(j=0; args[i][j]; j++) {
+			char c = toupper(args[i][j]);
+			
+			if(n>=40) {
+				irc_usermsg(irc, "too many fingerprint digits given, expected at most 40");
+				return NULL;
+			}
+			
+			if( (c>='A' && c<='F') || (c>='0' && c<='9') ) {
+				*(p++) = c;
+			} else {
+				irc_usermsg(irc, "invalid hex digit '%c' in block %d", args[i][j], i+1);
+				return NULL;
+			}
+			
+			n++;
+			if(n%8 == 0)
+				*(p++) = ' ';
+		}
+	}
+	*p = '\0';
+	
+	/* find first key which matches the given prefix */
+	n = strlen(prefix);
+	for(k=irc->otr->us->privkey_root; k; k=k->next) {
+		p = otrl_privkey_fingerprint(irc->otr->us, human, k->accountname, k->protocol);
+		if(!p) /* gah! :-P */
+			continue;
+		if(!strncmp(prefix, human, n))
+			break;
+	}
+	if(!k) {
+		irc_usermsg(irc, "%s: no match", prefix);
+		return NULL;
+	}
+	
+	/* make sure the match, if any, is unique */
+	for(k2=k->next; k2; k2=k2->next) {
+		p = otrl_privkey_fingerprint(irc->otr->us, human, k2->accountname, k2->protocol);
+		if(!p) /* gah! :-P */
+			continue;
+		if(!strncmp(prefix, human, n))
+			break;
+	}
+	if(k2) {
+		irc_usermsg(irc, "%s: multiple matches", prefix);
+		return NULL;
+	}
+	
+	return k;
+}
+
+void show_general_otr_info(irc_t *irc)
+{
+	ConnContext *ctx;
+	OtrlPrivKey *key;
+	char human[45];
+	kg_t *kg;
+
+	/* list all privkeys (including ones being generated) */
+	irc_usermsg(irc, "\x1fprivate keys:\x1f");
+	for(key=irc->otr->us->privkey_root; key; key=key->next) {
+		const char *hash;
+		
+		switch(key->pubkey_type) {
+		case OTRL_PUBKEY_TYPE_DSA:
+			irc_usermsg(irc, "  %s/%s - DSA", key->accountname, key->protocol);
+			break;
+		default:
+			irc_usermsg(irc, "  %s/%s - type %d", key->accountname, key->protocol,
+				key->pubkey_type);
+		}
+
+		/* No, it doesn't make much sense to search for the privkey again by
+		   account/protocol, but libotr currently doesn't provide a direct routine
+		   for hashing a given 'OtrlPrivKey'... */
+		hash = otrl_privkey_fingerprint(irc->otr->us, human, key->accountname, key->protocol);
+		if(hash) /* should always succeed */
+			irc_usermsg(irc, "    %s", human);
+	}
+	if(irc->otr->sent_accountname) {
+		irc_usermsg(irc, "  %s/%s - DSA", irc->otr->sent_accountname,
+			irc->otr->sent_protocol);
+		irc_usermsg(irc, "    (being generated)");
+	}
+	for(kg=irc->otr->todo; kg; kg=kg->next) {
+		irc_usermsg(irc, "  %s/%s - DSA", kg->accountname, kg->protocol);
+		irc_usermsg(irc, "    (queued)");
+	}
+	if(key == irc->otr->us->privkey_root &&
+	   !irc->otr->sent_accountname &&
+	   kg == irc->otr->todo)
+		irc_usermsg(irc, "  (none)");
+
+	/* list all contexts */
+	irc_usermsg(irc, "%s", "");
+	irc_usermsg(irc, "\x1f" "connection contexts:\x1f (bold=currently encrypted)");
+	for(ctx=irc->otr->us->context_root; ctx; ctx=ctx->next) {\
+		user_t *u;
+		char *userstring;
+		
+		u = peeruser(irc, ctx->username, ctx->protocol);
+		if(u)
+			userstring = g_strdup_printf("%s/%s/%s (%s)",
+				ctx->username, ctx->protocol, ctx->accountname, u->nick);
+		else
+			userstring = g_strdup_printf("%s/%s/%s",
+				ctx->username, ctx->protocol, ctx->accountname);
+		
+		if(ctx->msgstate == OTRL_MSGSTATE_ENCRYPTED) {
+			irc_usermsg(irc, "  \x02%s\x02", userstring);
+		} else {
+			irc_usermsg(irc, "  %s", userstring);
+		}
+		
+		g_free(userstring);
+	}
+	if(ctx == irc->otr->us->context_root)
+		irc_usermsg(irc, "  (none)");
+}
+
+void show_otr_context_info(irc_t *irc, ConnContext *ctx)
+{
+	switch(ctx->otr_offer) {
+	case OFFER_NOT:
+		irc_usermsg(irc, "  otr offer status: none sent");
+		break;
+	case OFFER_SENT:
+		irc_usermsg(irc, "  otr offer status: awaiting reply");
+		break;
+	case OFFER_ACCEPTED:
+		irc_usermsg(irc, "  otr offer status: accepted our offer");
+		break;
+	case OFFER_REJECTED:
+		irc_usermsg(irc, "  otr offer status: ignored our offer");
+		break;
+	default:
+		irc_usermsg(irc, "  otr offer status: %d", ctx->otr_offer);
+	}
+
+	switch(ctx->msgstate) {
+	case OTRL_MSGSTATE_PLAINTEXT:
+		irc_usermsg(irc, "  connection state: cleartext");
+		break;
+	case OTRL_MSGSTATE_ENCRYPTED:
+		irc_usermsg(irc, "  connection state: encrypted (v%d)", ctx->protocol_version);
+		break;
+	case OTRL_MSGSTATE_FINISHED:
+		irc_usermsg(irc, "  connection state: shut down");
+		break;
+	default:
+		irc_usermsg(irc, "  connection state: %d", ctx->msgstate);
+	}
+
+	irc_usermsg(irc, "  fingerprints: (bold=active)");	
+	show_fingerprints(irc, ctx);
+}
+
+int keygen_in_progress(irc_t *irc, const char *handle, const char *protocol)
+{
+	kg_t *kg;
+	
+	if(!irc->otr->sent_accountname || !irc->otr->sent_protocol)
+		return 0;
+
+	/* are we currently working on this key? */
+	if(!strcmp(handle, irc->otr->sent_accountname) &&
+	   !strcmp(protocol, irc->otr->sent_protocol))
+		return 1;
+	
+	/* do we have it queued for later? */
+	for(kg=irc->otr->todo; kg; kg=kg->next) {
+		if(!strcmp(handle, kg->accountname) &&
+		   !strcmp(protocol, kg->protocol))
+			return 1;
+	}
+	
+	return 0;
+}
+
+void otr_keygen(irc_t *irc, const char *handle, const char *protocol)
+{
+	/* do nothing if a key for the requested account is already being generated */
+	if(keygen_in_progress(irc, handle, protocol))
+		return;
+
+	/* see if we already have a keygen child running. if not, start one and put a
+	   handler on its output. */
+	if(!irc->otr->keygen || waitpid(irc->otr->keygen, NULL, WNOHANG)) {
+		pid_t p;
+		int to[2], from[2];
+		FILE *tof, *fromf;
+		
+		if(pipe(to) < 0 || pipe(from) < 0) {
+			irc_usermsg(irc, "otr keygen: couldn't create pipe: %s", strerror(errno));
+			return;
+		}
+		
+		tof = fdopen(to[1], "w");
+		fromf = fdopen(from[0], "r");
+		if(!tof || !fromf) {
+			irc_usermsg(irc, "otr keygen: couldn't streamify pipe: %s", strerror(errno));
+			return;
+		}
+		
+		p = fork();
+		if(p<0) {
+			irc_usermsg(irc, "otr keygen: couldn't fork: %s", strerror(errno));
+			return;
+		}
+		
+		if(!p) {
+			/* child process */
+			signal(SIGTERM, exit);
+			keygen_child_main(irc->otr->us, to[0], from[1]);
+			exit(0);
+		}
+		
+		irc->otr->keygen = p;
+		irc->otr->to = tof;
+		irc->otr->from = fromf;
+		irc->otr->sent_accountname = NULL;
+		irc->otr->sent_protocol = NULL;
+		irc->otr->todo = NULL;
+		b_input_add(from[0], GAIM_INPUT_READ, keygen_finish_handler, irc);
+	}
+	
+	/* is the keygen slave currently working? */
+	if(irc->otr->sent_accountname) {
+		/* enqueue our job for later transmission */
+		kg_t **kg = &irc->otr->todo;
+		while(*kg)
+			kg=&((*kg)->next);
+		*kg = g_new0(kg_t, 1);
+		(*kg)->accountname = g_strdup(handle);
+		(*kg)->protocol = g_strdup(protocol);
+	} else {
+		/* send our job over and remember it */
+		fprintf(irc->otr->to, "%s\n%s\n", handle, protocol);
+		fflush(irc->otr->to);
+		irc->otr->sent_accountname = g_strdup(handle);
+		irc->otr->sent_protocol = g_strdup(protocol);
+	}
+}
+
+void keygen_child_main(OtrlUserState us, int infd, int outfd)
+{
+	FILE *input, *output;
+	char filename[128], accountname[512], protocol[512];
+	gcry_error_t e;
+	int tempfd;
+	
+	input = fdopen(infd, "r");
+	output = fdopen(outfd, "w");
+	
+	while(!feof(input) && !ferror(input) && !feof(output) && !ferror(output)) {
+		myfgets(accountname, 512, input);
+		myfgets(protocol, 512, input);
+		
+		strncpy(filename, "/tmp/bitlbee-XXXXXX", 128);
+		tempfd = mkstemp(filename);
+		close(tempfd);
+
+		e = otrl_privkey_generate(us, filename, accountname, protocol);
+		if(e) {
+			fprintf(output, "\n");  /* this means failure */
+			fprintf(output, "otr keygen: %s\n", gcry_strerror(e));
+			unlink(filename);
+		} else {
+			fprintf(output, "%s\n", filename);
+			fprintf(output, "otr keygen for %s/%s complete\n", accountname, protocol);
+		}
+		fflush(output);
+	}
+	
+	fclose(input);
+	fclose(output);
+}
+
+gboolean keygen_finish_handler(gpointer data, gint fd, b_input_condition cond)
+{
+	irc_t *irc = (irc_t *)data;
+	char filename[512], msg[512];
+
+	myfgets(filename, 512, irc->otr->from);
+	myfgets(msg, 512, irc->otr->from);
+	
+	irc_usermsg(irc, "%s", msg);
+	if(filename[0]) {
+		char *kf = g_strdup_printf("%s%s.otr_keys", global.conf->configdir, irc->nick);
+		char *tmp = g_strdup_printf("%s.new", kf);
+		copyfile(filename, tmp);
+		unlink(filename);
+		rename(tmp,kf);
+		otrl_privkey_read(irc->otr->us, kf);
+		g_free(kf);
+		g_free(tmp);
+	}
+	
+	/* forget this job */
+	g_free(irc->otr->sent_accountname);
+	g_free(irc->otr->sent_protocol);
+	irc->otr->sent_accountname = NULL;
+	irc->otr->sent_protocol = NULL;
+	
+	/* see if there are any more in the queue */
+	if(irc->otr->todo) {
+		kg_t *p = irc->otr->todo;
+		/* send the next one over */
+		fprintf(irc->otr->to, "%s\n%s\n", p->accountname, p->protocol);
+		fflush(irc->otr->to);
+		irc->otr->sent_accountname = p->accountname;
+		irc->otr->sent_protocol = p->protocol;
+		irc->otr->todo = p->next;
+		g_free(p);
+		return TRUE;   /* keep watching */
+	} else {
+		/* okay, the slave is idle now, so kill him */
+		fclose(irc->otr->from);
+		fclose(irc->otr->to);
+		kill(irc->otr->keygen, SIGTERM);
+		waitpid(irc->otr->keygen, NULL, 0);
+		irc->otr->keygen = 0;
+		return FALSE;  /* unregister ourselves */
+	}
+}
+
+void copyfile(const char *a, const char *b)
+{
+	int fda, fdb;
+	int n;
+	char buf[1024];
+	
+	fda = open(a, O_RDONLY);
+	fdb = open(b, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	
+	while((n=read(fda, buf, 1024)) > 0)
+		write(fdb, buf, n);
+	
+	close(fda);
+	close(fdb);	
+}
+
+void myfgets(char *s, int size, FILE *stream)
+{
+	if(!fgets(s, size, stream)) {
+		s[0] = '\0';
+	} else {
+		int n = strlen(s);
+		if(n>0 && s[n-1] == '\n')
+			s[n-1] = '\0';
+	}
+}
+
+void yes_keygen(void *data)
+{
+	account_t *acc = (account_t *)data;
+	
+	if(keygen_in_progress(acc->irc, acc->user, acc->prpl->name)) {
+		irc_usermsg(acc->irc, "keygen for %s/%s already in progress",
+			acc->user, acc->prpl->name);
+	} else {
+		irc_usermsg(acc->irc, "starting background keygen for %s/%s",
+			acc->user, acc->prpl->name);
+		irc_usermsg(acc->irc, "you will be notified when it completes");
+		otr_keygen(acc->irc, acc->user, acc->prpl->name);
+	}
+}
+
+
+#else /* WITH_OTR undefined */
+
+void cmd_otr(irc_t *irc, char **args)
+{
+	irc_usermsg(irc, "otr: n/a, compiled without OTR support");
+}
+
+#endif
diff -Naur bitlbee-1.2.3/otr.h bitlbee-otr-1.2.3/otr.h
--- bitlbee-1.2.3/otr.h	Thu Jan  1 00:00:00 1970
+++ bitlbee-otr-1.2.3/otr.h	Sat Feb  7 09:16:38 2009
@@ -0,0 +1,117 @@
+  /********************************************************************\
+  * BitlBee -- An IRC to other IM-networks gateway                     *
+  *                                                                    *
+  * Copyright 2002-2008 Wilmer van der Gaast and others                *
+  \********************************************************************/
+
+/*
+  OTR support (cf. http://www.cypherpunks.ca/otr/)
+  
+  2008, Sven Moritz Hallberg <pesco@khjk.org>
+  (c) and funded by stonedcoder.org
+*/
+
+/*
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License with
+  the Debian GNU/Linux distribution in /usr/share/common-licenses/GPL;
+  if not, write to the Free Software Foundation, Inc., 59 Temple Place,
+  Suite 330, Boston, MA  02111-1307  USA
+*/
+
+#ifndef BITLBEE_PROTOCOLS_OTR_H
+#define BITLBEE_PROTOCOLS_OTR_H
+
+#include "bitlbee.h"
+
+
+// forward decls to avoid mutual dependencies
+struct irc;
+struct im_connection;
+struct account;
+
+// 'otr' root command, hooked up in root_commands.c
+void cmd_otr(struct irc *, char **args);
+
+
+#ifdef WITH_OTR
+#include <libotr/proto.h>
+#include <libotr/message.h>
+#include <libotr/privkey.h>
+
+/* representing a keygen job */
+typedef struct kg {
+	char *accountname;
+	char *protocol;
+	
+	struct kg *next;
+} kg_t;
+
+/* struct to encapsulate our book keeping stuff */
+typedef struct otr {
+	OtrlUserState us;
+	pid_t keygen;    /* pid of keygen slave (0 if none) */
+	FILE *to;        /* pipe to keygen slave */
+	FILE *from;      /* pipe from keygen slave */
+	
+	/* active keygen job (NULL if none) */
+	char *sent_accountname;
+	char *sent_protocol;
+	
+	/* keygen jobs waiting to be sent to slave */
+	kg_t *todo;
+} otr_t;
+
+/* called from main() */
+void otr_init(void);
+
+/* called from irc_new()/irc_free() */
+otr_t *otr_new();
+void otr_free(otr_t *otr);
+
+/* called by storage_* functions */
+void otr_load(struct irc *irc);
+void otr_save(struct irc *irc);
+void otr_remove(const char *nick);
+void otr_rename(const char *onick, const char *nnick);
+
+/* called from account_add() */
+int otr_check_for_key(struct account *a);
+
+/* called from imcb_buddy_msg() */
+char *otr_handle_message(struct im_connection *ic, const char *handle,
+	const char *msg);
+	
+/* called from imc_buddy_msg() */
+int otr_send_message(struct im_connection *ic, const char *handle, const char *msg,
+	int flags);
+
+#else
+
+typedef void otr_t;
+typedef void *OtrlMessageAppOps;
+
+#define otr_init() {}
+#define otr_new() (NULL)
+#define otr_free(otr) {}
+#define otr_load(irc) {}
+#define otr_save(irc) {}
+#define otr_remove(nick) {}
+#define otr_rename(onick,nnick) {}
+#define otr_check_for_key(acc) (0)
+#define otr_handle_message(ic,handle,msg) (g_strdup(msg))
+#define otr_send_message(ic,h,m,f) (ic->acc->prpl->buddy_msg(ic,h,m,f))
+
+void cmd_otr_nosupport(void *, char **);
+
+#endif
+#endif
diff -Naur bitlbee-1.2.3/protocols/jabber/jabber.c bitlbee-otr-1.2.3/protocols/jabber/jabber.c
--- bitlbee-1.2.3/protocols/jabber/jabber.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/protocols/jabber/jabber.c	Sun Feb  8 03:12:24 2009
@@ -527,6 +527,7 @@
 	struct prpl *ret = g_new0( struct prpl, 1 );
 	
 	ret->name = "jabber";
+	ret->mms = 0;                        /* no limit */
 	ret->login = jabber_login;
 	ret->init = jabber_init;
 	ret->logout = jabber_logout;
diff -Naur bitlbee-1.2.3/protocols/msn/msn.c bitlbee-otr-1.2.3/protocols/msn/msn.c
--- bitlbee-1.2.3/protocols/msn/msn.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/protocols/msn/msn.c	Sun Feb  8 03:11:00 2009
@@ -316,6 +316,7 @@
 	struct prpl *ret = g_new0(struct prpl, 1);
 	
 	ret->name = "msn";
+	ret->mms = 1409;         /* this guess taken from libotr UPGRADING file */
 	ret->login = msn_login;
 	ret->init = msn_init;
 	ret->logout = msn_logout;
diff -Naur bitlbee-1.2.3/protocols/nogaim.c bitlbee-otr-1.2.3/protocols/nogaim.c
--- bitlbee-1.2.3/protocols/nogaim.c	Sat Sep  6 12:33:14 2008
+++ bitlbee-otr-1.2.3/protocols/nogaim.c	Sun Feb  8 03:09:16 2009
@@ -636,6 +636,13 @@
 	irc_t *irc = ic->irc;
 	char *wrapped;
 	user_t *u;
+
+	/* pass the message through OTR */
+	msg = otr_handle_message(ic, handle, msg);
+	if(!msg) {
+		/* this was an internal OTR protocol message */
+		return;
+	}
 	
 	u = user_findhandle( ic, handle );
 	
@@ -994,7 +1001,9 @@
 		msg = buf;
 	}
 	
-	st = ic->acc->prpl->buddy_msg( ic, handle, msg, flags );
+	/* if compiled without otr support, this just calls the prpl buddy_msg */
+	st = otr_send_message(ic, handle, msg, flags);
+
 	g_free( buf );
 	
 	return st;
diff -Naur bitlbee-1.2.3/protocols/nogaim.h bitlbee-otr-1.2.3/protocols/nogaim.h
--- bitlbee-1.2.3/protocols/nogaim.h	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/protocols/nogaim.h	Sun Feb  8 03:07:02 2009
@@ -131,6 +131,10 @@
 	/* You should set this to the name of your protocol.
 	 * - The user sees this name ie. when imcb_log() is used. */
 	const char *name;
+	/* Maximum Message Size of this protocol.
+	 * - Introduced for OTR, in order to fragment large protocol messages.
+	 * - 0 means "unlimited". */
+	unsigned int mms;
 
 	/* Added this one to be able to add per-account settings, don't think
 	 * it should be used for anything else. You are supposed to use the
diff -Naur bitlbee-1.2.3/protocols/oscar/oscar.c bitlbee-otr-1.2.3/protocols/oscar/oscar.c
--- bitlbee-1.2.3/protocols/oscar/oscar.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/protocols/oscar/oscar.c	Sun Feb  8 03:05:31 2009
@@ -2642,6 +2642,7 @@
 {
 	struct prpl *ret = g_new0(struct prpl, 1);
 	ret->name = "oscar";
+	ret->mms = 2343;       /* this guess taken from libotr UPGRADING file */
 	ret->away_states = oscar_away_states;
 	ret->init = oscar_init;
 	ret->login = oscar_login;
diff -Naur bitlbee-1.2.3/protocols/yahoo/yahoo.c bitlbee-otr-1.2.3/protocols/yahoo/yahoo.c
--- bitlbee-1.2.3/protocols/yahoo/yahoo.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/protocols/yahoo/yahoo.c	Sun Feb  8 02:47:44 2009
@@ -350,6 +350,7 @@
 {
 	struct prpl *ret = g_new0(struct prpl, 1);
 	ret->name = "yahoo";
+	ret->mms = 832;           /* this guess taken from libotr UPGRADING file */
 	ret->init = byahoo_init;
 	
 	ret->login = byahoo_login;
diff -Naur bitlbee-1.2.3/root_commands.c bitlbee-otr-1.2.3/root_commands.c
--- bitlbee-1.2.3/root_commands.c	Sat Sep  6 13:10:19 2008
+++ bitlbee-otr-1.2.3/root_commands.c	Sun Feb  8 02:43:26 2009
@@ -286,6 +286,10 @@
 		}
 		
 		irc_usermsg( irc, "Account successfully added" );
+
+		if(otr_check_for_key(a)) {
+			irc_usermsg(irc, "otr: you will be notified when it completes");
+		}
 	}
 	else if( g_strcasecmp( cmd[1], "del" ) == 0 )
 	{
@@ -1096,5 +1100,6 @@
 	{ "nick",           1, cmd_nick,           0 },
 	{ "qlist",          0, cmd_qlist,          0 },
 	{ "join_chat",      2, cmd_join_chat,      0 },
+	{ "otr",            1, cmd_otr,            0 },
 	{ NULL }
 };
diff -Naur bitlbee-1.2.3/set.c bitlbee-otr-1.2.3/set.c
--- bitlbee-1.2.3/set.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/set.c	Sun Feb  8 02:40:33 2009
@@ -245,3 +245,143 @@
 	
 	return value;
 }
+
+/* generalized version of set_eval_op/voice_buddies */
+char *set_eval_mode_buddies( set_t *set, char *value, char modeflag )
+{
+	irc_t *irc = set->data;
+	char op[64], deop[64];
+	int nop=0, ndeop=0;
+	user_t *u;
+	int mode;
+	
+	if(!strcmp(value, "false"))
+		mode=0;
+	else if(!strcmp(value, "encrypted"))
+		mode=1;
+	else if(!strcmp(value, "trusted"))
+		mode=2;
+	else if(!strcmp(value, "notaway"))
+		mode=3;
+	else
+		return NULL;
+	
+	/* sorry for calling them op/deop - too lazy for search+replace :P */
+	op[0]='\0';
+	deop[0]='\0';
+	for(u=irc->users; u; u=u->next) {
+		/* we're only concerned with online buddies */
+		if(!u->ic || !u->online)
+			continue;
+
+		/* just in case... */
+		if(strlen(u->nick) >= 64)
+			continue;
+		
+		/* dump out ops/deops when the corresponding name list fills up */
+		if(strlen(op)+strlen(u->nick)+2 > 64) {
+			char *flags = g_strnfill(nop, modeflag);
+			irc_write( irc, ":%s!%s@%s MODE %s +%s%s", irc->mynick, irc->mynick, irc->myhost,
+		                                               irc->channel, flags, op );
+		    op[0]='\0';
+            nop=0;
+		    g_free(flags);
+		}
+		if(strlen(deop)+strlen(u->nick)+2 > 64) {
+			char *flags = g_strnfill(ndeop, modeflag);
+			irc_write( irc, ":%s!%s@%s MODE %s -%s%s", irc->mynick, irc->mynick, irc->myhost,
+		                                               irc->channel, flags, deop );
+		    deop[0]='\0';
+            ndeop=0;
+		    g_free(flags);
+		}
+		
+		switch(mode) {
+		/* "false" */
+		case 0:
+			g_strlcat(deop, " ", 64);
+			g_strlcat(deop, u->nick, 64);
+			ndeop++;
+			break;
+		/* "encrypted" */
+		case 1:
+			if(u->encrypted) {
+				g_strlcat(op, " ", 64);
+				g_strlcat(op, u->nick, 64);
+				nop++;
+			} else {
+				g_strlcat(deop, " ", 64);
+				g_strlcat(deop, u->nick, 64);
+				ndeop++;
+			}
+			break;
+		/* "trusted" */
+		case 2:
+			if(u->encrypted > 1) {
+				g_strlcat(op, " ", 64);
+				g_strlcat(op, u->nick, 64);
+				nop++;
+			} else {
+				g_strlcat(deop, " ", 64);
+				g_strlcat(deop, u->nick, 64);
+				ndeop++;
+			}
+			break;
+		/* "notaway" */
+		case 3:
+			if(u->away) {
+				g_strlcat(deop, " ", 64);
+				g_strlcat(deop, u->nick, 64);
+				ndeop++;
+			} else {
+				g_strlcat(op, " ", 64);
+				g_strlcat(op, u->nick, 64);
+				nop++;
+			}
+		}
+	}
+	/* dump anything left in op/deop lists */
+	if(*op) {
+		char *flags = g_strnfill(nop, modeflag);
+		irc_write( irc, ":%s!%s@%s MODE %s +%s%s", irc->mynick, irc->mynick, irc->myhost,
+		                                               irc->channel, flags, op );
+		g_free(flags);
+	}
+	if(*deop) {
+		char *flags = g_strnfill(ndeop, modeflag);
+		irc_write( irc, ":%s!%s@%s MODE %s -%s%s", irc->mynick, irc->mynick, irc->myhost,
+	                                               irc->channel, flags, deop );
+		g_free(flags);
+	}
+	
+	return value;
+}
+
+char *set_eval_op_buddies( set_t *set, char *value )
+{
+	return set_eval_mode_buddies(set, value, 'o');
+}
+
+char *set_eval_halfop_buddies( set_t *set, char *value )
+{
+	return set_eval_mode_buddies(set, value, 'h');
+}
+
+char *set_eval_voice_buddies( set_t *set, char *value )
+{
+	return set_eval_mode_buddies(set, value, 'v');
+}
+
+/* possible values: never, opportunistic, manual, always */
+char *set_eval_otr_policy( set_t *set, char *value )
+{
+	if ( !strcmp(value, "never") )
+		return value;
+	if ( !strcmp(value, "opportunistic") )
+		return value;
+	if ( !strcmp(value, "manual") )
+		return value;
+	if ( !strcmp(value, "always") )
+		return value;
+	return NULL;
+}
diff -Naur bitlbee-1.2.3/set.h bitlbee-otr-1.2.3/set.h
--- bitlbee-1.2.3/set.h	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/set.h	Sun Feb  8 02:28:04 2009
@@ -100,5 +100,9 @@
 /* Some not very generic evaluators that really shouldn't be here... */
 char *set_eval_to_char( set_t *set, char *value );
 char *set_eval_ops( set_t *set, char *value );
+char *set_eval_op_buddies( set_t *set, char *value );
+char *set_eval_halfop_buddies( set_t *set, char *value );
+char *set_eval_voice_buddies( set_t *set, char *value );
+char *set_eval_otr_policy( set_t *set, char *value );
 
 #endif /* __SET_H__ */
diff -Naur bitlbee-1.2.3/storage.c bitlbee-otr-1.2.3/storage.c
--- bitlbee-1.2.3/storage.c	Sat Sep  6 22:35:56 2008
+++ bitlbee-otr-1.2.3/storage.c	Sun Feb  8 02:25:09 2009
@@ -28,6 +28,7 @@
 #define BITLBEE_CORE
 #include "bitlbee.h"
 #include "crypting.h"
+#include "otr.h"
 
 extern storage_t storage_text;
 extern storage_t storage_xml;
@@ -115,8 +116,10 @@
 		storage_status_t status;
 
 		status = st->load(irc, password);
-		if (status == STORAGE_OK)
+		if (status == STORAGE_OK) {
+		  	otr_load(irc);		/* load our OTR userstate */
 			return status;
+		}
 		
 		if (status != STORAGE_NO_SUCH_USER) 
 			return status;
@@ -139,6 +142,7 @@
 		return STORAGE_NO_SUCH_USER;
 	}
 	
+	otr_save(irc);
 	st = ((storage_t *)global.storage->data)->save(irc, overwrite);
 	
 	if (password != NULL) {
@@ -164,6 +168,9 @@
 		if (status != STORAGE_NO_SUCH_USER && status != STORAGE_OK)
 			ret = status;
 	}
+	if (ret == STORAGE_OK) {
+		otr_remove(nick);
+	}
 	
 	return ret;
 }
@@ -181,8 +188,10 @@
 	/* First, try to rename in the current write backend, assuming onick 
 	 * is stored there */
 	status = primary_storage->rename(onick, nnick, password);
-	if (status != STORAGE_NO_SUCH_USER)
+	if (status != STORAGE_NO_SUCH_USER) {
+	  	otr_rename(onick, nnick);
 		return status;
+	}
 
 	/* Try to load from a migration backend and save to the current backend. 
 	 * Explicitly remove the account from the migration backend as otherwise 
@@ -206,6 +215,7 @@
 	irc_free(irc);
 
 	storage_remove(onick, password);
+	otr_rename(onick, nnick);
 
 	return STORAGE_OK;
 }
diff -Naur bitlbee-1.2.3/unix.c bitlbee-otr-1.2.3/unix.c
--- bitlbee-1.2.3/unix.c	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/unix.c	Sun Feb  8 02:07:12 2009
@@ -26,9 +26,11 @@
 #include "bitlbee.h"
 #include "commands.h"
 #include "crypting.h"
+#include "otr.h"
 #include "protocols/nogaim.h"
 #include "help.h"
 #include "ipc.h"
+#include "lib/ssl_client.h"
 #include <signal.h>
 #include <unistd.h>
 #include <sys/time.h>
@@ -53,6 +55,13 @@
 	
 	b_main_init();
 	nogaim_init();
+	/* Ugly Note: libotr and gnutls both use libgcrypt. libgcrypt
+	   has a process-global config state whose initialization happpens
+	   twice if libotr and gnutls are used together. libotr installs custom
+	   memory management functions for libgcrypt while our gnutls module
+	   uses the defaults. Therefore we initialize OTR after SSL. *sigh* */
+	ssl_init();
+	otr_init();
 	
 	srand( time( NULL ) ^ getpid() );
 	global.helpfile = g_strdup( HELP_FILE );
diff -Naur bitlbee-1.2.3/user.h bitlbee-otr-1.2.3/user.h
--- bitlbee-1.2.3/user.h	Sat Sep  6 12:33:13 2008
+++ bitlbee-otr-1.2.3/user.h	Sun Feb  8 02:04:20 2009
@@ -36,6 +36,7 @@
 	
 	char is_private;
 	char online;
+	char encrypted;
 	
 	char *handle;
 	char *group;
